The Virus Page

The Nimda Worm

Dan Knight - 2001.09.18

Nimda came out of nowhere on September 18, 2001. It targets Windows computers, using individual networked PCs to infect NT-base servers running IIS. A Windows PC can become infected by opening or previewing an infected email, visiting a site on an infected server, or simply being on the same network as another infected Windows machine.

Windows servers can be infected by another server or PC on the same network or connecting over the Internet. Once a computer is infected, it will scan for other machines to infect. Once a server is infected, it will serve infected pages to visitors.

It may also be spreading via IRC and FTP.

Although Nimda can only infect Windows PCs, it can cripple servers running any operating system by hitting them persistently. As of 09.00 p.m. on Sept. 18, the Web log showed Low End Mac's (our sister site) Linux-based server had been hit almost 8,000 times:

989: /scripts/..%255c../winnt/system32/cmd.exe
988: /scripts/..%5c../winnt/system32/cmd.exe
500: /scripts/root.exe
499: /msadc/root.exe
498: /c/winnt/system32/cmd.exe
498: /d/winnt/system32/cmd.exe
497: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
496: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
495: /scripts/winnt/system32/cmd.exe
495: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
495: /scripts/..%c1%1c../winnt/system32/cmd.exe
494: /scripts/..%c0%af../winnt/system32/cmd.exe
493: /scripts/..%252f../winnt/system32/cmd.exe
493: /scripts/..%c1%9c../winnt/system32/cmd.exe

We received out first email with Nimda at 11.18 a.m. Here's the opening part of that message:

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
	boundary="====_ABC0987654321DEF_===="
         
--====_ABC0987654321DEF_====
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
         
         
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
         
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
	name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

If you're setting up a filter, have it look for name="readme.exe" as a good place to start in separating Nimda from other incoming email.

The Nimda worm seeks out Windows servers running IIS. As the log indicates, Nimda is looking for cmd.exe and/or root.exe.

Links

About Low End PC Support Usage Privacy Contact

Custom Search

Follow Low End Mac on Twitter
Join Low End Mac on Facebook

Favorite Sites

MacSurfer
Cult of Mac
Shrine of Apple
MacInTouch
MyAppleMenu
InfoMac
The Mac Observer
Accelerate Your Mac
RetroMacCast
The Vintage Mac Museum
Deal Brothers
DealMac
Mac2Sell
Mac Driver Museum
JAG's House
System 6 Heaven
System 7 Today
the pickle's Low-End Mac FAQ

Affiliates

Amazon.com
The iTunes Store
PC Connection Express
Macgo Blu-ray Player
Parallels Desktop for Mac
eBay

Low End Mac's Amazon.com store

Advertise

Open Link