HiWAAY: Information/Internet Services

HiWAAY's FAQs

An FAQ is a Frequently Asked Question. We have listed here the question paired with the appropriate answer. If you don't find the answer to your question, please visit our customer support page or email support@HiWAAY.net.

Busy Signal Report Form: Report a busy signal.

There are currently 249 FAQs in the database.

View: By Category  All 

XYZ - The Retired FAQ Archive

Old FAQs - We've kept these older FAQs in the archive just in case someone needs the information. These archived FAQs are no longer maintained and will certainly be out-of-date and contain errors.

Question: How do I protect my computer from the W32.Nimda.A@mm worm?

Answer:

The W32.Nimda.A@mm has spread around the world. We are still seeing a large number of scans against port 80. The scans are from a new worm called . The worm is attempting to locate IIS servers, specifically the two files root.exe and cmd.exe. We have updated this FAQ constantly over the past three days and each update is grimmer than the one before as more is learned about the Nimda worm. This is what we know now:

The worm can infect any system running Systems running Microsoft Windows 95, 98, ME, NT, and 2000. The worm can spread by five different methods:
Windows based computers not running IIS can't be infected with the worm's IIS exploit code but CAN be infected by email or by browsing a web site infected by the worm.

Latest Patches and Fixes:
NEW: Microsoft has published an article called Information on the "Nimda" Worm that contains detailed instructions on securing and patching a Windows system to protect it from Nimda.

NEW: Symantec has released their tool for removing Nimda. It can be downloaded from http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

NEW: Trend Micro has released a Nimda Fix Tool.
You can download the version for Home users at: http://www.antivirus.com/pc-cillin/vinfo/
You can download the version for Corporate users at: http://www.antivirus.com/vinfo/


Description:
This is perhaps the most persistent and pernicious of all the recent worms. Even though its primary target is Windows based computers running IIS, it can easily infect ANY Windows system and use the infected computer to spread the its malicious code further.

Nimda can infect computers not running IIS:
It primarily attacks Windows based Computers not running IIS via email. Nimda arrives as an attachment to an email that has a random subject line and no body content. If you are running an unpatched version of Outlook Express, then, when you view the message, Windows Media Player will automatically attempt to play the fake .wav file the worm code will execute and infect the computer. This is true whether you open the email or just view it in the preview pane. Older, unsecured versions of Outlook Express (included with Explorer versions 5.0.1, 5.0.1 SP1, 5.5 and 5.5 SP1) suffer from a known MIME vulnerability that will allow this executable file to run without double-clicking on the attachment. However, even if you are running a patched version of Outlook Express, you CAN still get infected by double clicking on the attachment.

Once Nimda infects a system it uses its own SMTP server and MAPI to email itself as an attachment called "readme.exe" to addresses it has culled from the infected computer. The addresses can come from stored email, the address book and even cached web pages. The email contains two parts. The first is defined as MIME type "text/html" and has no text. The second is defined as "audio/x-wav" but is in fact the readme.exe file containing the worm. Changing the attachment's MIME type makes it appear to be a .wav file.

While it's sending email, the infected computer will also begin scanning the Internet for IIS servers suffering from either the Web Server Folder Traversal or containing the Code Red II or Sadmin backdoors. The worm will copy itself via tftp to any vulnerable IIS server it finds. CERT says the scans follow these probablilities:
"50% of the time, an address with the same first two octets will be chosen
25% of the time, an address with the same first octet will be chosen
25% of the time, a random address will be chosen"
(Note: A computer does not have to have IIS installed to be targeted and scanned.) These scans and emails are what is causing the Internet congestion associated with Nimda.

When the worm infects an IIS server:
Once it infects an IIS server, Nimda will spread itself via email and Internet scans as discussed above. It also writes a copy of itself to every directory it finds including any it can reach through file shares. The worm copies are named README.EML. On a heavily used server with a rich directory structure Nimda may create thousands of these files.

If it finds HTM, HTML, and ASP files it will modify them by adding a section of JavaScript code to the end of each file. The JavaScript includes a copy of the readme.exe file. The code looks like this:
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
The JavaScript will run when an infected web page is accessed. It opens a new window that includes the readme.eml file. The file is downloaded to the visiting computer. Downloading the file won't infect a computer. It must be executed to do that. Double clicking on the readme.eml file will make the code run and infect the computer. If the visiting browser is Explorer version 5.0.1, 5.0.1 SP1, 5.5 or 5.5 SP1 then the browser will download and automatically run the MIME encoded version of the worm and infect the computer.

Turning off JavaScript will prevent the JavaScript code from running, but if you are using Explorer versions 5.0.1, 5.0.1 SP1, 5.5 or 5.5 SP1 you should apply the Microsoft patches or upgrade to Explorer versions 5.0.1 SP2, 5.5 SP2 or 6.0 to fix the autoexecute problem. Please note however, you can still infect any Windows based computer by double clicking on the readme.eml file.

The worm also opens a network share for the C: drive on the infected computer and will attempt to spread itself via file shares across the LAN. On Windows NT/2000 the shared directories are owned by the guest account which the worm activates and adds to the administrators group. The shares require no password for access as guest.(Note: opening the network share on the infected server may expose it to other intrusions.)

SARC has also noted that:
"The worm searches for all open shares on the network by iterating through Network Neighborhood and by utilizing randomly generated IP addresses. All files on any open network shares are examined for possible infection. All .exe files are infected by the worm except Winzip32.exe. Next, .eml and .nws files are copied to the open network shares and the worm copies itself over as Riched20.dll to any folder that contains .doc files. The worm changes Explorer settings to not show hidden files and known file extensions."


If your computer is scanned and you are running a firewall or logging web server access you'll see a number of entries like this:

/home/httpd/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/home/httpd/html/msadc/..%5c../..%5c../..%5c/..2f../..%2f../..%2f../winnt/system32/cmd.exe
/home/httpd/html/scripts/..%2f../winnt/system32/cmd.exe


Here's a sample from one of our logs:

"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 272 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 272 "-" "-"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 300 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 234 "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 251 "-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 251 "-" "-"


More detailed information can be found at: Prevention:
Protection of an IIS server is simple. Like the Code Red worms, W32.Nimda.A@mm only infects IIs servers that have not been patched. Microsoft released patches for this venerability, Web Server Folder Traversal, on August 15, 2000. The patches for Windows NT and 2000 can be found below.
More information about this vulnerability may be found at:


In addition to the above individual patches, Microsoft has released a Cumulative Patch for IIS that includes all patches for IIS versions 4.0 and 5.0 that have been released prior to August 15, 2001 (including the patches above). You can download the cumulative patch from:
Microsoft Security Bulletin MS01-044
Protection of Windows based systems not running IIS is also relatively easy.
  1. Make certain your anti-virus software is up to date.
  2. Run a personal firewall like ZoneAlarm
  3. Upgrade your version of Outlook Express and install all the current patches.
  4. If you are using Microsoft Internet Explorer version 5.0.1, 5.0.1 SP1, 5.5 or 5.5 SP1 then install Microsoft's MIME venerability patch or upgrade to Explorer versions 5.0.1 SP2, 5.5 SP2 or 6.0.
  5. Turn off JavaScript.
  6. Of course, it always bears repeating, don't open attachments!
Removal:
If your system is infected with Nimda, following the instructions on one of the sites listed blow or using one of the removal tools, also linked below, may repair your system. However, please read these sobering warnings from CERT:
"The only safe way to recover from the system compromise is to format the system drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network." CERT Advisory CA-2001-26 Nimda Worm
and from SARC:
"Once a computer has been attacked by W32.Nimda.A@mm, it is very difficult to determine what security settings have been compromised. Unless, by reading the logs, you can be absolutely sure that nothing else malicious has been done to the computer, it may be best to backup all data files, reformat the hard drive, and then completely reinstall the operating system and all programs. This is the only way that you can be 100 percent certain that the computer is clean." W32.Nimda.A@mm Removal Tool
Symantec has posted some removal instructions that require the use of Norton Antivirus and a few manual steps to rid an infected computer of Nimda.

NEW: Symantec has released their free tool for removing Nimda. It can be downloaded from http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

NEW: Trend Micro has released a Nimda Fix Tool.
    You can download the version for Home users at: http://www.antivirus.com/pc-cillin/vinfo/
    You can download the version for Corporate users at: http://www.antivirus.com/vinfo/ Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites. New definitions are released constantly. Please check with your anti-virus vendor for the latest files.

HiWAAY does not warrant that any of the tools and patches listed above will protect or repair a system, nor can we offer support on complex task of manually removing the W32.Nimda.A@mm worm and verifying system integrity.


Search FAQs

Search for ..