General discussion

Locked

Nimda Virus Tracking

By csroadrunner ·
I am running an online catalog on the W2K
platform. The system keeps getting hit with
the Nimda32 virus. It does not invade the
operating system or database. Is their
any way i can trace to the source.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Nimda Virus Tracking

by Joseph Moore In reply to Nimda Virus Tracking

First, read the Symantec write-up on Nimda:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
(please remove any spaces)

Now, Nimda spreads 3 different ways, 1) by e-mail attachment, 2) over network shares, & 3) it infects unpatched IIS web servers.
Now, if your server keeps getting hit with Nimda, then you probably still need the updated patch that prevents the Unicode Directory Traversal Vulnerability. This is a Microsoft patch that prevents Nimda infection over IIS. The patch is here:
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
(again, remove any spaces)

Lastly, if you ARE getting hit with Nimda via the IIS vulnerability the patch fixes, then you could just check your IIS log files for the Nimda infection routine. Open your IIS logs, and look for something similar to the following:

WWW.YOURWEBSITE.COM/scripts/..\../winnt/system32/ cmd.exe?/c+dir

or

WWW.YOURWEBSITE.COM//_vti_bin/..\../..\../..\../ winnt/system32/cmd.exe?/c+dir

or

WWW.YOURWEBSITE.COM//scripts/../../winnt/system32/ cmd.exe?/c+dir


Those are Nimda connection attempts (I pulled them from my web server's logs). Now, I am patched for Nimda, so they fail, but this is the type of stuff you willsee in the logs when a Nimda attempt occurs. In your IIS log files, you will also have the IP address of the machine that sent this request to your web server.

Now, you need to keep in mind that these connection attempts by Nimda are not necessarily malatious. It could be that the machine that is running Nimda on it (trying to infect your machine) does not know it is infected. You can be innocently infected, and your machine would be trying to infect others with Nimda. This is how Nimda works. Once it infects a machine, it tries to infect other machines, all with the owner of the machine totally unaware of what is happening.

hope this helps

Collapse -

Nimda Virus Tracking

by csroadrunner In reply to Nimda Virus Tracking

Point value changed by question poster.

Back to Windows Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums