| Name | Win32.Nimda |
| Threat Level |  |
| Alias | W32/Nimda@MM, W32.Nimda.A@mm, TROJ_NIMDA.A |
| Date | 19 September, 2001 |
| Type | Win32, Trojan, Worm |
| Damage | Create Files, Modify Files, Slows PC, Other |
| Platform | 95, 98, ME, NT, 2000 |
| Analysis |
This vandal carry several types of payload and attacks with several methods. It originally arrives as an email attachment that auto-runs by using a known exploit of Outlook and outlook Express known as the spoofed audio/x-wav file type method. The arriving email attachment is README.EXE, but this attachment is invisible to the user due to the exploit it uses. It will run automatically when the message is viewed!
The vandal has the following malicious activity:
1. Replace a Windows file named RICHED20.DLL so it will run instead of it.
2. Add the entry Shell = explorer.exe load.exe -dontrunold to the System.ini file.
3. Copy itself as LOAD.EXE to %Window\System%\load.exe - This would usually be the C:Windows\System directory.
4. Copy itself as a file named MEP*.TMP.EXE in the Windows Temp directory.
5. Search Outlook and Outlook Express for email addresses and send itself by using its own SMTP engine. The sent email will have a random subject line and no main body. The attachment will be a spoofed WAV file named README.EXE and will not be normally visible.
Microsoft has published a patch to adress the Outlook and Outlook Express issue, it can be found here.
6. The vandal will search for unpatched IIS Web servers and attempt to infect them by using an exploit known as the "Web Server Traversal" exploit. It would copy itself on Windows Servers as a file named ADMIN.DLL, which is a Front Page extensions file normally found on IIS servers. It would infect Web pages on the infected Web severs by adding JavaScript code to HTML documents with the extensions .HTM, .HTML and .ASP as well as pages named INDEX, MAIN and DEFAULT. Opening infected pages will execute the script, which will open a new browser window with the README.EML copy of the code. Viewing this window infects the local or remote system.
Microsoft published information about the "Web Server Folder Traversal" exploit here.
7. When running on an infected Web server it will scan for a backdoor created by CodeRed.C and try to exploit compromised servers.
8. On infected Windows Servers, when running as ADMIN.DLL it will search for all EXE files and infect them. This is dangerous if it happens on a Web server especially if that server also functions as an FTP server. It raises the risk that downloaded executable files from the FTP server will be infected.
9. It opens a share for the hard drives and executes itself over the infected systems and allow remote access to the infected PC.
10. On Windows NT and 2000 it will enable the Guest account and add it to the Administrators group. This can allow virtually full access to the infected PC.
11. It creates numerous copies of itself in numerous folders with the file extensions EML and NWS
12. It replaces various other files on the infected system with a copy of itself. On servers it usually replaces MMC.EXE which is the Microsoft Management Console.
If you were infected
A free cleaning utility is now available to remove all versions of Nimda from infected PCs. The utility is available from here.
eSafe Users
A new vandal/virus update is available.
Note: eSafe Desktop and Enterprise can scan and remove this vandal from infected PCs.
For users of eSafe Enterprise/Desktop and eSafe Gateway 2.1, an update is available from here.
Note to eSafe Gateway 2.1 users:
Support for Gatway 2.1 will be terminated on December 31, 2001. Please contact your local reseller to upgrade to the latest version of eSafe Gateway 3.0. More information about version 3 can be found here.
eSafe Gateway 3 and eSafe Mail users can use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions are available from here.
|
