The
Nimda Worm
Report
by: Denice Bland
Course: IFSM 430
Instructor: David Wills
Date: May 02, 2002
Executive Summary
The Nimda virus was a devastating worm that attacked the computer community on September 18, 2001. It was a flagrant attack on the Microsoft Corporation as well as the world. The document that follows allows you to see into how one computer system was affected. It will define the virus, show you how it attacks, and then give you ways to defend yourself against it. It will show you how this one computer system was fixed, and then lead you down the path to ensure you are not the victim of one of these attacks in the future.
On the evening of September 20, 2001, I went to check my emails and do some surfing on the net. As I sat at my computer to check incoming emails, I noticed, right away, that something was not quite right with my computer. It was running extremely slow as soon as I booted up the computer. I was not quite sure why it was acting this way. I didn’t give it too much thought. Sometimes the connection is slow, and sometimes I just need to refresh my screen. So I started working in Microsoft Word. When I attempted to save my document, a message box appeared, stating that there was not enough memory to perform this task. I figured this had to be an error. So I tried saving it to a disk to see if that would fix the problem. It didn’t. I usually ask my husband to take a look at these problems, but he was in the “States” at the time. I learned later on that I was one of the thousands attacked by the Nimda Worm. I had no idea what I was going to do. Since my husband usually fixes all the computer problems, I had to wait a week for him to return. It was crippling for me because I had to do all my homework at the lab or at my job. This virus was so devastating, it crippled not only my computer, but also computers around the world to include fortune 500 companies, Web sites, and even the United States military.
The inventor of the worm I guess was a comic. The name Nimda is “admin” spelled backwards. And ironically, it does just the opposite of what administration does. The worm has been given several names. The original names are W32.Nimda and W32/Nimda.A@mn. Newer versions are W32/Nimda.B@mn and W32/Nimda.E@mn. There have even been false viruses created in the name of Nimda just to scare computer users. However, the most common name is simply Nimda. This new worm hit the scenes on September 18, 2001, attacking around the entire earth in a matter of hours. The world had never seen such as worm as this. Some people speculated that it was associated with the September 11, 2001 terrorist attack on the United State World Trade Center towers and feared there would be a lot more viruses to come. But the main thing to control the fear of the unknown is to find out about what a virus is.
Well, what is the Nimda worm? First, let me explain what a worm is. According to our textbook, a worm is a program that is used as a transport mechanism for other programs. It utilizes the network to spread programs from one system to another (Pipkin, page 49). Pipkin also states that a virus is a program that infects another program by replicating itself into the host program (Pipkin, page 49). The Nimda worm is a Windows executive file. The length is about 57 kilobytes, and it is written in Microsoft C++. It contains the following “copyright” text string: Concept Virus(CV) V.5, Copyright©2001 R.P.China. (Curenimda).
The Nimda worm does not behave like practically any other worm or virus to date. Usually you have to open a file to activate a virus. With Nimda, however, one only has to attempt to open an email file, attempt to preview the email file, or visit a Web page from a server already affected to also become infected. The unique thing about the Nimda worm is that it does it’s dirty work by hiding itself in regular files. If you try to locate the infected file, it identifies your attempt and replicates itself to another file. It even changes your system properties to make itself a “hidden” file. After you change your properties to show all hidden files, it goes back and hides itself again. It also renames itself to look like regular files in your system files. If you try to delete them, your computer will tell you that you cannot because “Windows need this to operate”. If you are successful in deleting one of the files, after you restart your computer, it hides itself by renaming itself again.
Even when you believe that all the damage is done, Nimda leaves a quite unpleasant present behind. It leaves a hole in your security system. It creates a guest user with no password allowing hackers to infiltrate your system anytime they want and create more havoc. However, not everyone has to worry about this worm.
The good news for computer owners is that if you do not have a Microsoft operating system, your computer will not be affected. That is because Nimda was made specifically to attack any of the various Microsoft operating systems. It was designed to enter into the flaws in the Microsoft system. Unfortunately the bad news is that the worm will affect most computers, because the majority of computers around the world have some sort of Microsoft operating systems installed.
It appears that the worm was derived from other worms and viruses, using their destructive techniques at a significantly higher level. Nimda combines the debilitating features of Code Red, Code Blue, Apost, Magistr.B and SirCam (Sullivan). These worms have been in the news because they have successfully spread across the Internet over the past year. This worm will attack the personal computer and business and Web servers. It opens a security hole in the computer system that gives access to any hacker who wishes to come in and manipulate the system in any way. This hole is usually not found until after extensive damage is done. But that is just one facet of this worm.
The Nimda worm spreads in various ways. It can be spread by the email system. After infecting a computer, Nimda sends copies of itself to all email addresses located in the computer’s address book. Looking for files that look anything like email addresses does this. Scanning *.htm and *.html files is the normal way it looks for an email address. It also connects to MS Exchange email boxes and grabs the addresses. The message that Nimda sends out is in HTML format. There usually is no subject line, or a random subject line is chosen. The random subject line could be anything. At first it was believed that if the subject line was unusually long, this was a sign that Nimda (or some other virus or worm) was present. However, the Nimda worm has shown up with much shorter subject lines.
The body of the text is empty but has an attachment by the name of “readme.exe.” The computer will think that this file is a .WAV (or some type of audio) file, when in actuality Nimda is an executable program. The length of this attachment has been discovered to be 57344 bytes. This never changes. Under Internet Options, if the security level is set at medium or lower, the Nimda worm will systematically execute in Microsoft’s Outlook. By doing this, the worm appears to be friendly to family and friends receiving the email because they know the person sending it. Like unwelcome guests, the Nimda worm can come back. This worm has been programmed to resend the infected emails every ten days.
Another attack scenario involves snooping through the HTTP port 80. This port is commonly used for the Internet. It will copy itself to computers that are attached to the same network. In addition, it attacks the Microsoft Internet Information Server (IIS) software, looking for weak securities in the IIS. It will attempt to find any backdoors that a previous virus or worm might have left behind. It will take control of the server and send out files infected with the worm.
Nimda will also alter the JavaScript coding of web pages, by making various changes in the format. Nimda modifies all the web files it can get to. These changes will unlikely be noticed by the user, but can affect any computer used to surf the World Wide Web. When a user goes to an infected web site, the site will place a JavaScript “readme.exe” or “readme.eml” file on the user’s computer. In this way, the user will unknowingly download the worm when it views the affected web site. Sometimes the site will prompt you for permission to create an *.eml ( *.eml is Microsoft Outlook email suffix), but by this time the worm has already been planted.
When the Nimda worm hits a local network, it will scan all network resources it can get into. It will make copies upon copies of itself anywhere it can. A small network could have thousands of copies of the worm infiltrated throughout. As soon as a user finds the Nimda file within a server’s disk, that computer is automatically infected.
The Nimda worm can significantly slow down any computer or Web server. With the constant need to replicate itself, within hours there may be so many copies of the worm in the computer hard drive that normal operations will cease. Denial of service reports were transmitted from numerous corporations around the world during the height of this worm. Nimda attempts to rewrite all files with any associate with the web. It also duplicates and modifies system files (.dll, tmp, exe, etc.). As deadly as this worm seems to be, there are ways to combat it.
So what can you do to prevent getting infected or re-infected by Nimda? First, install an anti-virus program on you computer that has virus definitions which list Nimda and its variants. If you have been infected by Nimda, ensure that you download and install a security patch which is made specifically to close the hole Nimda leaves behind as described above. Scan your computer frequently to check for viruses. Also update the virus definitions frequently. I use Norton Antivirus 2002 on my home and office computers. This program is great because you can schedule the software to upgrade the virus definitions whenever you are connected to the Internet. This software also has the ability to scan your files in the background while you are working on the computer. It also can automatically scan your emails as they are delivered as well as scan your connections to the Internet when cookies are being stored. This way of upgrading your computer will free you from the chore of remembering to upgrade the most current security updates on your own.
Do not open any attachment. It is especially important that you do not open any attachment named “readme.exe.” Even if you know the person who is sending you the email, this does not mean that the email file is not infected. Scan the file with you anti-virus program before any attempt to open the file. If you are not expecting the file, it is best to delete it. You can always check with the sender by phone or another email verifying the attachment.
Your security setting on your computer may need to be optimized. To check this, go to Internet Options and check where the security tab is set. If it is not at its highest setting, slide the scroll bar to the highest level.
The CERT/CC advises that, “If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends upgrading to at least version 5.0 since older versions are no longer officially maintained by Microsoft. Users of IE 5.0 and above are encouraged to apply patch for the “Automatic Execution of Embedded MIME Types” vulnerability available from Microsoft at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp (CERT)”
If your computer is networked with others, it may be a good idea to disable the file sharing option. Of course you will not be able to do this all the time. But when there is a known threat to the computer system, disabling the sharing option may save your computer. You can also ensure you do not get infected by disconnecting the LAN cable within your network system. This will ensure all the individual computers can be checked and cleaned without allowing the virus to hide in another computer.
A sure fire way to keep viruses off your computer is to not install any non-guaranteed software, stay off the internet, and do not allow foreign disks into your computer. But if this is not feasible, the suggestions listed above will go a long way to help you in the battle against viruses.
When my husband finally returned from the States, I told him what had happened. He spent a lot of time working on the computer. He finally cleaned it all up. This is what he did. He started by making sure he had the most current virus definition from Symantec. With him being in the military, they encourage the use of military procured virus software. He ensured the software was set up to do a full computer scan to include all file types. The biggest problem he had was the software’s inability to clean the files that were coming up infected. The software would just quarantine them. When he tried to delete them, the computer would not let him. He then checked with some Internet sites to find out my information on the Nimda virus and found some of the examples of how the Nimda virus hides in the computer. He found out the files it hides under is relatively similar to the files that are normally in the system files location of the computer. One file in particular was the Riched20.dll file. Since he could not delete the file while running windows, he had to reboot the computer to come up in the DOS mode. While at the command prompt, he was able to locate the infected files without having to run Windows. After all the files were deleted, he rebooted the computer again in Windows mode. Everything appeared to come up fine. He wanted to be safe, so he did a full scan again. This produced another virus alert. When he tried to find the file, it wasn’t showing up. After some time, he discovered that the virus had changed the view properties of the explorer and had hidden several files again. So this time he ensured all the hidden files were in full view and did the scan one more time. After three more infected files appeared, he cleaned them and rebooted the computer one more time. After this reboot, he did the virus scan and no infected files were retrieved. From that time on, we make sure we update our virus definitions every Wednesday and or when we get alerts.
So what’s the moral to this story? There will always be computer hackers out in cyberspace that will try to find ways to make life difficult for the uninformed computer user. There will always be new and inventive viruses to try to destroy your system. Your job is to be knowledgeable and proactive. You need to learn as much as you can about the systems that you work on and the vulnerabilities of them. You are the number one defense against attacks to your system. Luckily for you, there are companies out there willing to work to help keep your systems safe. Stay on top of the latest trends and technologies coming out for computers. The more you know about your computer and computer systems, the more prepared you will be.
“Scary Hybrid Internet Worm Loose”, Michelle Delio, www.curenimda.com/article02.htm, 04/30/2002
“Information Security, Protecting the Global Enterprise,” Donald L. Pipkin
“Nimda Worm Slows but Hits High-Profile Sites,” Bob Sullivan, MSNBC, www.curenimda.com/article14.htm, 04/28/2002
“I-Worm.Nimda,” No author listed, www.curenimda.com/desc01.htm, 04/30/2002
“CERT Advisory CA-2001-26 Nimda Worm,” CERT/CC, www.cert.org/advisories/CA-2001-26.html, 04-28-2002