Monday, 19 September 2011

Nimda worm: 10 year anniversary

In 2001 the Nimda worm was unleashed onto unpatched systems across the globe. It spread fast, used multiple exploits and appeared shortly after another well-publicised worm (Code Red) had started attacking PCs.

I found the following article that I wrote about it ten years ago to the day. It's no longer available on PC Pro's site, but Google's cache has a copy:

New Internet worm combines threat of SirCam and Code Red

By Simon Edwards
Posted on 19 Sep 2001 at 12:08

The Nimda virus is widespread and harmful.

The worm is known to attack both normal Internet users and Web servers. Those who have chosen to use Microsoft's Internet Explorer Web browser and the closely associated Outlook Express/Outlook e-mail client should update using the most recent patches, and update their anti-virus software.

Administrators running Microsoft's IIS Web server also need to ensure that previous holes highlighted by last month's CodeRed fiasco are plugged. The workm actively seeks out machines that are already infected with CodeRed II.

The behaviour of the Nimda (Admin, backwards) program is startlingly intelligent. Once it has successfully infected a Web server it attempts to change the HTML pages and ASP files using JavaScript. The altered files cause unsuspecting visitors to download an infected file, readme.eml.

When an Outlook Express user receives a copy of the worm, either by downloading the readme.eml file or via e-mail from another infected host, there is no necessity to run the attachment to risk infection. Unless the long-available security patches have been installed, the worm will be activated when the message is read, or automatically viewed in the default preview pane.

Once the worm has been run it sets up its own SMTP server and starts propagating using addresses stored in local HTML files and e-mail stored in the Inbox. Meanwhile it changes various system settings and shares the C: drive. It also escalates the privileges of the Guest account to Administrator level (on Windows NT/2000 systems).

Many anti-virus vendors have already released signature files, while Microsoft's security patches are still available. Symantec claims that Nimda is a high threat, being both widely distributed and fast moving. It is, however, moderately easy to remove. In fact, this morning Symantec's Web site upgraded the worm's removal status from Easy to Moderate so keep checking!