IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-022

"Mass Mailing Worm W32.Nimda.A@mm"
September 18, 2001

The National Infrastructure Protection Center (NIPC) has received numerous reports that a new worm, named W32.Nimda.A@MM, is propagating extensively through the Internet worldwide. The worm is exhibiting many traits of recently successful malicious code attacks such as Code Red but it is not simply another version of that worm.

The Nimda worm threatens Microsoft Internet Information Services on Windows 2000 and Windows NT web servers and also individual users running Microsoft Outlook or Outlook Express for their mail service on any Windows 95, Windows 98, and Windows Millennium Edition (ME) platforms. Preliminary analysis indicates that once a server is infected it will begin to scan for more vulnerable systems on the local network, which may result in a denial of service for that network. In the case of infected workstations as well as servers, the worm also makes the entire contents of the local primary hard drive (e.g. C Drive) available over the network. It is also believed that an additional user is added with administrative rights.

A computer can become infected through a variety of means ranging from simply viewing an infected web page using a browser with no security enabled, to opening a malicious e-mail attachment.

The NIPC and several other labs continue to analyze the Nimda worm. Expect additional updates in the near future. For the moment, system administrators and individual users should consider taking the immediate actions detailed below to protect their systems.

For system administrators:

Take appropriate steps to prevent the worm's attempts to distribute itself through the following means:

  • HTTP scanning for IIS vulnerabilities
    • IIS MSDAC /root.exe
    • IIS UNICODE decoding cmd.exe
    • CODERED /root.exe
    • frontpage /cmd.exe
  • E-MAIL (via IFRAMES and javascript)
    • readme.eml
    • readme.exe
    • getadmin.exe
  • TFTP downloads
    • getadmin.exe
    • Admin.dll
    • Getadmin.dll
  • Internet Explorer HTTP iframe and javascript autoexec
    • readme.eml
    • readme.exe
  • Open Windows File sharing
    • readme.exe
    • readme.eml

For individual users:

Do not read or accept unexpected e-mail file attachments. These e-mails should be deleted. Make sure browser security is enabled.

The anti-virus software industry is aware of this worm and has created a signature file to detect and remove it. Full descriptions and removal instructions can be found at various anti-virus software firms web sites, including the following:

http://www.antivirus.com (Trend Micro)
http://www.ca.com (Computer Associates)
http://www.symantec.com

http://vil.nai.com (McAfee)

Microsoft has posted critical updates at the following sites:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp

As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates, and to check for alerts put out by the NIPC, CERT/CC and other cognizant organizations.

Recipients of this advisory are encouraged to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to the other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.