Nimda

2001-09-18 (Last Modified: 2001-09-18)

Jim Olson of Cyberjunkees sent the following information to the NANOG list regarding the newest and potentially most dangerous Microsoft IIS worm, Nimda:

“This is the information i’ve collected thus far on W32.nimda:

W32.nimda is NOT a code red variant, and the people who referring to it as “Code Blue” were mistaken…

The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server’s to infect a server, and also employ’s email and web site mobile code to infect Windows 9x/ME/NT/2k boxes.

During the initial infection of a server, the worm does the following:
– download a file named “admin.dll” via tftp from the system that istrying to infect the target
– add the guest account to the local administrators group and activates the account
– makes sure c$ is shared out
– copies itself to c, d, and e drives
– tries to mail itself to email addresses that it discovers on the server
– creates a file named readme.exe, which is used in the mobile code inserted on the web sites below
– add this string to the web pages found on the server:
– scans for and infects other vulnerable IIS servers
– goes through all shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above.
– goes through all shared directories and puts riched20.dll in each directory, which is a trogan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory.
– puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above “readme.exe” format (win2000 only)

If a user views a web site that is hosted on an infected server, the following happens:
– upon viewing an infected page, the mobile code extracts to readme.exe and starts in windows media player (without user intervention)
– the user’s machine becomes infected with W32.nimda at this point and time
– the worm starts scanning for other vulnerable IIS servers
– the worm emails itself to everyone on the user’s address book
– goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above.
– goes through all shared directories and puts riched20.dll in each directory, which is a trogjan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory.
– puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above “readme.exe” format (win2000 only)

It us unknown to me what happens (at this point in time) if a user opens an attachment that is sent from an infected site. It is possible that it could automatically infect the user’s computer using the same methods mentioned above.

EVERYONE who uses internet explorer to browse the internet should probably do one of two things to stop from being automatically infected by W32.nimda (i have not tested whether or not turning off javascript fixes the problem):
o) don’t browse web pages until microsoft releases a patch
o) turn OFF javascript

EVERYONE who uses outlook/outlook express should, at the very least, not open any attachments that they are not expecting. Turning off auto-preview might be a good idea as well.

Slashdot has an article discussing this.”