The Nimda Worm

The Nimda Worm

2001.09.18

Nimda came out of nowhere on September 18, 2001. It targets Windows computers, using individual networked PCs to infect NT-base servers running IIS. A Windows PC can become infected by opening or previewing an infected email, visiting a site on an infected server, or simply being on the same network as another infected Windows machine.

Windows servers can be infected by another server or PC on the same network or connecting over the Internet. Once a computer is infected, it will scan for other machines to infect. Once a server is infected, it will serve infected pages to visitors.

It may also be spreading via IRC and FTP.

Although Nimda can only infect Windows PCs, it can cripple servers running any operating system by hitting them persistently. As of 9:00 p.m. on Sept. 18, our Web log showed Low End Mac's Linux-based server had been hit almost 8,000 times:

989: /scripts/..%255c../winnt/system32/cmd.exe
988: /scripts/..%5c../winnt/system32/cmd.exe
500: /scripts/root.exe
499: /msadc/root.exe
498: /c/winnt/system32/cmd.exe
498: /d/winnt/system32/cmd.exe
497: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
496: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
495: /scripts/winnt/system32/cmd.exe
495: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
495: /scripts/..%c1%1c../winnt/system32/cmd.exe
494: /scripts/..%c0%af../winnt/system32/cmd.exe
493: /scripts/..%252f../winnt/system32/cmd.exe
493: /scripts/..%c1%9c../winnt/system32/cmd.exe

We received out first email with Nimda at 11.18 a.m. Here's the opening part of that message:

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
	boundary="====_ABC0987654321DEF_===="
         
--====_ABC0987654321DEF_====
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
         
         
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
         
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
	name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

If you're setting up a filter, have it look for name="readme.exe" as a good place to start in separating Nimda from other incoming email.

The Nimda worm seeks out Windows servers running IIS. As the log indicates, Nimda is looking for cmd.exe and/or root.exe.

Links

About LEM Support Usage Privacy Contact

Low End Mac is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple Inc. Opinions expressed are those of their authors and may not reflect the opinion of Cobweb Publishing. Advice is presented in good faith, but what works for one may not work for all.
  Entire Low End Mac website copyright ©1997-2016 by Cobweb Publishing, Inc. unless otherwise noted. All rights reserved. Low End Mac, LowEndMac, and lowendmac.com are trademarks of Cobweb Publishing Inc. Apple, the Apple logo, Macintosh, iPad, iPhone, iMac, iPod, MacBook, Mac Pro, and AirPort are registered trademarks of Apple Inc. Additional company and product names may be trademarks or registered trademarks and are hereby acknowledged.
  Please report errors to .
  LINKS: We allow and encourage links to any public page as long as the linked page does not appear within a frame that prevents bookmarking it.
  Email may be published at our discretion unless marked "not for publication"; email addresses will not be published without permission, and we will encrypt them in hopes of avoiding spammers. Letters may be edited for length, context, and to match house style.
  PRIVACY: We don't collect personal information unless you explicitly provide it, and we don't share the information we have with others. For more details, see our Terms of Use.