A fast-spreading worm that attacks both Windows IIS servers and Internet Explorer began wreaking havoc on the Internet on Tuesday morning, Sept. 18, 2001. At first, there was some confusion as to whether this was a hoax or possibly a variant of the Code Red worm. However, Nimda (“admin” spelled backward) is a new and very nimble worm/virus with the potential to be even worse than Code Red.
How Nimda works
Although Nimda—also known as Readme.exe, W32/Nimda worm, and the Concept Virus (CV) v.5—attacks through the same IIS vulnerabilities that the Code Red worm used, it actually spreads through an entirely different mechanism and can infect both workstations and servers running any version of Windows from Win95 on up.
According to CERT CA-2001-26, Nimda can spread in several ways:
- Client to client via e-mail
- Client to client via open network shares
- From Web server to client via browsing of compromised Web sites
- From client to Web server via active scanning for and exploitation of the “Microsoft IIS 4.0/5.0 directory traversal” vulnerability (VU #111677)
- From client to Web server via scanning for the back doors left behind by the Code Red II (IN-2001-09), and sadmind/IIS (CA-2001-11) worms
Fortunately, Nimda itself does not contain a destructive payload beyond modification of Web content to continue to propagate itself.
Nimda appears to spread mainly through a two-part MIME-encoded e-mail attachment. One part purports to be a text file but doesn’t contain any text. The second part is marked as MIME audio/x-wav but is a binary executable named Readme.exe. It executes thanks to a vulnerability (CERT CA-2001-06) that causes any e-mail software running IE 5.5 or earlier to run the payload automatically because of the false MIME type identification.
The subject line of the e-mail varies, but the length of the file attached is (so far) a constant 57,344 bytes.
The payload attempts to find server back doors left by Code Red and also tries to send copies of itself to all addresses in the Windows address book of the infected machine.
Assessing the damage
Risk—High, with the important note that if you have been patching IIS periodically, this worm can’t penetrate your servers.
Impact—Denial of service events may occur because of the volume of e-mail traffic triggered by this worm, but it doesn’t appear to be targeting specific systems with a DoS attack. If it locates a back door left by earlier attacks and not yet locked, this worm can let attackers run any arbitrary code on servers.
The payload modifies any files it locates with .htm, .html, and .asp extensions (Web content files) and then, if browsers that automatically execute these files access the infected server, those systems become infected.
The worm also copies itself (renamed as README.EML) to all write-enabled directories.
You can make a quick-and-dirty preliminary determination as to whether your system is infected by searching for the README.EML file in multiple directories.
CERT reports that the only safe way to remove this worm is to reformat the infected drives and reinstall system software and then apply all Microsoft security patches. Cumulative IIS 4.0 and 5.0 patches are found at MS01-044, which patches five vulnerabilities. IE patches that correct the way false MIME headers can cause Internet Explorer to automatically run an attachment are posted at MS01-020.
This is the first worm/virus I learned about from television, specifically CNBC, which was reporting the problem early Tuesday morning. This is a strong indication that security has come to the forefront in the mind-set of businesses and the media.
We have entered a new era in which companies, the public, and the business press will be focusing on all aspects of security, including how well we, as security specialists, do our jobs. This poses both problems and opportunities as we are called upon to explain threats and prepare for new ones.
Have you been hit by Nimda?
How has it affected your company? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.