Nimda came out of nowhere on September 18, 2001. It targets Windows computers, using individual networked PCs to infect NT-base servers running IIS. A Windows PC can become infected by opening or previewing an infected email, visiting a site on an infected server, or simply being on the same network as another infected Windows machine.

Windows servers can be infected by another server or PC on the same network or connecting over the Internet. Once a computer is infected, it will scan for other machines to infect. Once a server is infected, it will serve infected pages to visitors.

It may also be spreading via IRC and FTP.

Although Nimda can only infect Windows PCs, it can cripple servers running any operating system by hitting them persistently. As of 9:00 p.m. on Sept. 18, the Web log showed Low End Mac's (our sister site) Linux-based server had been hit almost 8,000 times:

989: /scripts/..%255c../winnt/system32/cmd.exe
988: /scripts/..%5c../winnt/system32/cmd.exe
500: /scripts/root.exe
499: /msadc/root.exe
498: /c/winnt/system32/cmd.exe
498: /d/winnt/system32/cmd.exe
497: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
496: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
495: /scripts/winnt/system32/cmd.exe
495: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
495: /scripts/..%c1%1c../winnt/system32/cmd.exe
494: /scripts/..%c0%af../winnt/system32/cmd.exe
493: /scripts/..%252f../winnt/system32/cmd.exe
493: /scripts/..%c1%9c../winnt/system32/cmd.exe

We received out first email with Nimda at 11:18 a.m. Here's the opening part of that message:

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
	boundary="====_ABC0987654321DEF_===="
         
--====_ABC0987654321DEF_====
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
         
         
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
         
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
	name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

If you're setting up a filter, have it look for name="readme.exe" as a good place to start in separating Nimda from other incoming email.

The Nimda worm seeks out Windows servers running IIS. As the log indicates, Nimda is looking for cmd.exe and/or root.exe.

Links

• Nimda worm runs riot on IT sites, John Leyden, The Register, 2001:09:20. Yes, as usual, Microsoft's own servers got infected. ;-)
• Nimda worm and the Mac, MacFixIt, 2001:09:20. Amazing Nimda worm can put files on Macs.
• W32.Nimda.A@mm, Symantec Security Response, 2001:09:18.
• W32/Nimda.A@mm, McAfee Virus Alert, 2001:09:18. "This threat can infect all unprotected users of Win9x/NT/2000/ME."
• Virulent Nimda computer worm hits worldwide, Yahoo/Reuters, 2001:09:18. As of 9:00 p.m. Tuesday, Low End Mac's Linux-based server had been hit nearly 8,000 times.
• Nimda worm strikes Net, e-mail, c|net, 2001:09:18. "It's all automated." Nice graph shows impact of Nimda on Internet.
• Code Red-based email worm breaks out, The Register, 2001:09:18. Nimda shows up with random subject line, readme.exe attachment, HTML file, attacks IIS servers. Macs, Unix, Linux immune.
• New virus downloads itself from Web pages, ZDNet UK, 2001:09:18. "The Nimda virus uses every trick in the book to spread, say virus experts...."
• Scary hybrid Internet worm loose, Michelle Delio, Wired, 2001:09:18. "A new e-mail and server worm that appears to be a retooled combination of several other successful worms...."
• New (more) annoying Microsoft worm hits Net, Slashdot, 2001:09:18. Attacks each IP with 16 different requests.

Low End PC (LEPC) launched September 2001. The entire LEPC site copyright ©2001-2003 by Cobweb Publishing, Inc., unless otherwise noted. Copyright of individual articles resides with the author. All rights reserved.
  Advice presented in good faith, but what works for one may not work for all. Computers are like that. Please report errors to the webmaster.
  Letters sent to LEPC may be published at our discretion. Email addresses will not be published unless specifically requested. If you prefer that your message not be published, clearly mark it "not for publication." Letters may be edited for length, context, and to match house style.
  LINK POLICY: This site allows and encourages links to any public page, so long as the linked page does not appear within a frame that prevents bookmarking the linked page.
  PRIVACY POLICY: In brief, we don't collect any personal information unless you explicitly provide it.
  Low End PC is an independent publication and has not been authorized, sponsored, or otherwise approved by Microsoft, Intel, or anyone else. Many company and product names may be trademarks or registered trademarks of the individual companies and are hereby acknowledged.
  For more details, see our Terms of Use.