Dan Knight
- 2001.09.18
Nimda came out of nowhere on September 18, 2001. It targets Windows
computers, using individual networked PCs to infect NT-base servers
running IIS. A Windows PC can become infected by opening or previewing
an infected email, visiting a site on an infected server, or simply
being on the same network as another infected Windows machine.
Windows servers can be infected by another server or PC on the same
network or connecting over the Internet. Once a computer is infected,
it will scan for other machines to infect. Once a server is infected,
it will serve infected pages to visitors.
It may also be spreading via IRC and FTP.
Although Nimda can only infect Windows PCs, it can cripple servers
running any operating system by hitting them persistently. As of 09.00
p.m. on Sept. 18, the Web log showed Low End Mac's
(our sister site) Linux-based server had been hit almost 8,000
times:
989: /scripts/..%255c../winnt/system32/cmd.exe
988: /scripts/..%5c../winnt/system32/cmd.exe
500: /scripts/root.exe
499: /msadc/root.exe
498: /c/winnt/system32/cmd.exe
498: /d/winnt/system32/cmd.exe
497: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
496: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
495: /scripts/winnt/system32/cmd.exe
495: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
495: /scripts/..%c1%1c../winnt/system32/cmd.exe
494: /scripts/..%c0%af../winnt/system32/cmd.exe
493: /scripts/..%252f../winnt/system32/cmd.exe
493: /scripts/..%c1%9c../winnt/system32/cmd.exe
We received out first email with Nimda at 11.18 a.m. Here's the
opening part of that message:
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
If you're setting up a filter, have it look for name="readme.exe" as
a good place to start in separating Nimda from other incoming
email.
The Nimda worm seeks out Windows servers running IIS. As the log
indicates, Nimda is looking for cmd.exe and/or root.exe.
Links
- Nimda
worm runs riot on IT sites, John Leyden, The Register, 2001.09.20.
Yes, as usual, Microsoft's own servers got infected. ;-)
- Nimda worm and the Mac,
MacFixIt, 2001.09.20. Amazing Nimda worm can put files on Macs.
- W32.Nimda.A@mm,
Symantec Security Response, 2001.09.18.
- W32/Nimda.A@mm,
McAfee Virus Alert, 2001.09.18. "This threat can infect all unprotected
users of Win9x/NT/2000/ME."
- Virulent
Nimda computer worm hits worldwide, Yahoo/Reuters, 2001.09.18. As
of 09.00 p.m. Tuesday, Low End Mac's Linux-based server had been hit
nearly 8,000 times.
- Nimda worm
strikes Net, e-mail, Cnet, 2001.09.18. "It's all automated." Nice
graph shows impact of Nimda on Internet.
- Code
Red-based email worm breaks out, The Register, 2001.09.18. Nimda
shows up with random subject line, readme.exe attachment, HTML file,
attacks IIS servers. Macs, Unix, Linux immune.
- New virus
downloads itself from Web pages, ZDNet UK, 2001.09.18. "The Nimda
virus uses every trick in the book to spread, say virus
experts...."
- Scary
hybrid Internet worm loose, Michelle Delio, Wired, 2001.09.18. "A
new e-mail and server worm that appears to be a retooled combination of
several other successful worms...."
- New
(more) annoying Microsoft worm hits Net, Slashdot, 2001.09.18.
Attacks each IP with 16 different requests.
