Nimda was one of the more complex virus/worm constructs released.
Nimda is credited with several “firsts” in its infection techniques. It is the first beast to infect .EXE files by embedding them into itself as a resource. It also infects Web pages so unsecured browsers will infect upon viewing the Web page. Finally, Nimda is the first worm to use any user’s computer to scan a network for vulnerable machines behind a firewall to attack (in the past only infected servers did that).
Nimda uses several known weaknesses in Microsoft IIS servers. It would not have spread as far as it did had administrators applied the known patches. For reference, the patches are at…
- Unicode exploit:
Nimda uses these methods to spread:
- from client to client via E-mail and an infected .EXE file
- from client to client via open network shares
- from web server to client via browsing of compromised Web sites
- from client to Web server via active scanning for and exploitation of the “Microsoft IIS 4.0 / 5.0 directory traversal” vulnerability
- from client to Web server via scanning for the back doors left behind by the “Code Red II” and “sadmind/IIS” worms.
File Infection. In one mode, Nimda acts like any standard file infector with a new twist. It searches for .EXE files and adds them to itself as a resource. When the .EXE file on a server downloads it then spread the beast. Additionally, if the file is on a local computer, sharing that file can also spread the beast.
When an infected file is run the worm extracts the original program and runs it. Nimda attempts to delete this file after it finishes but cannot always do this. In that instance it creates WININIT.INI with commands to delete the file the next time Windows starts.
Nimda finds .EXE files to infect by searching the keys [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths], [Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders], and all subkeys. Strangely, WINZIP32.EXE is not infected.
E-mail Worm. In another mode, Nimda acts like any other worm. It searches your E-mail client address book(s) and HTML files on your computer for E-mail addresses and then sends itself to these addresses in an attached file. An E-mail from the worm comes as a “multipart/alternative” message with two sections. The first is defined as MIME type “text/html”, but contains no text (the message appears empty). The second is defined as MIME type “audio/x-wav”, but contains a base64-encoded attachment named README.EXE, which is a program.
Many users can be tricked into opening such attachments and any mail software running on Windows that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the attachment and infects the machine. (both bad practices!).
Nimda uses its own SMTP server to send E-mail messages.
Web Worm. Using one of the known exploits listed above, Nimda scans the Internet for Microsoft IIS Web servers. When a server is found, if it has open security holes, Nimda enters and modifies random Web pages on the server (as well as .EXE files found on the server). The modifications allow the worm to spread to users simply browsing the infected site.
File Share Propagation. Infected computers on a local network will search for other computers with open file shares. When found, Nimda will transfer a hidden/system file (RICHED20.DLL) onto the other computer in any directory where .DOC or .EML files are found. After that, if any of these files are opened in Word, Wordpad, or Outlook the hidden RICHED20.DLL file will also be automatically executed. This will infect the that computer.
Additionally, Nimda will try to replace the Windows RICHED20.DLL master file and will place .EML (and sometimes .NWS) files into folders it accesses.
Nimda On Your Computer
Nimda usually shows up as a README.EXE attachment to an E-mail, but can show up as any .EXE file with over five characters in the rootname. If run, it first copies itself to a temporary directory with a random name of the form MEP*.TMP (where * represents random characters). It then runs itself from that folder using the command line option “-dontrunold”).
The first thing the launcher does when running is to see if it has enough resources to run the main worm. If so, it extracts itself from the infected .EXE file and executes. Using the current time and some arithmetic operations the worm determines if it can delete files from the temporary folder. Once that is done, the worm builds its primary infection tool: a MIME-encoded copy of itself and multi-part message that can be attached to. This latter is given a random name and stored in a temporary directory. Now it’s ready to get to work.
Nimda next looks for the process called “Explorer.” In some cases it opens this process and assigns itself to a remote thread under Explorer. If that fails the worm uses API information to get needed information about the local computer. Then, it rests.
When it wakes up Nimda checks to see what operating system it’s running on. If NT-based, it compacts itself and copies itself out to LOAD.EXE in the Windows\System folder. The SYSTEM.INI file is then modified to start with the shell EXPLORER.EXE (as usual) but with “LOAD.EXE – dontrunold” as well. This assures the worm will run at each system start.
Finally, the worm copies itself to RICHED20.DLL, also in the System folder, and sets the file to hidden and system. When that’s done Nimda looks for shared network resources and starts to scan files on remote computers. Here it’s looking for .DOC and .EML files and, when found, RICHED20.DLL is copied to their directory so it will be run when an OLE component is needed on the remote computer. This, then starts the infection process on the remote computer.
While looking around the remote computer Nimda also copies infected .EML and (sometimes) .NWS files with names similar to HTML files already found on that remote computer. These files can also infect the remote computer if accessed.
Using the IP address of the infected computer, the worm searches for IIS servers to infect using a known backdoor (a patch is available, see the notes at the start of this page). The idea is that if the current computer is not properly protected then other local computers may not be as well so 50% of the probes (approximately) will be using near-by IP addresses.
Some other things the worm does…
- It modifies the key [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] so that hidden files are no longer seen. This hides the worm in Explorer.
- It adds the account “guest” to an infected system and gives it Administrator and Guests group priviledges. Using this it shares the C:\ drive with full access privileges.
- It deletes subkeys from the key [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] which effectively disables sharing security.
This beast places itself in a number of different locations so it is easy to overlook one or more if you’re trying to disinfect manually. It’s best to use a tool to do any disinfection. Many Anti-Virus sites have free tools to help with this job. Use them.
|Some Virus Threat Details|