'Nimda' Virus Target Windows Systems, Internet Information Servers

Joyce Winslow
jwins@oregon.uoregon.edu

On September 18, TruSecure Corporation sensors detected a new worm, dubbed Nimda W32.nimda.a.mm, as it attempted to infect Windows NT and 2000 servers and Windows 95/98/ME/NT/2000 machines worldwide.

Nimda is the first worm to use normal end-user machines to scan for vulnerable websites. The virus spreads by sending infected emails, creating an open network share on the infected computer and attempting to copy itself to unpatched Microsoft Internet Information Server (IIS) systems. It commonly appears in an email without a subject line and contains an attachment titled, "readme.exe". Users visiting compromised web servers may inadvertently download an Outlook Express email file (.eml) that contains the worm as an attachment.

Once Nimda infects a machine, it tries to replicate in one of three ways:

• via email, using addresses stored in email programs
• via IIS web servers, exploiting the same known soft-ware vulnerability that was attacked by Code Red (see article on page 20)
• via shared disk drives

While the worm does not destroy data, it can markedly slow or disrupt computer operations because it is so pervasive and spreads so rapidly.

How to Protect Yourself

There are several steps you can take to protect yourself from virus contamination:

1. Install and update antivirus software
2. Download the antivirus software patches

Free patches for both the IIS vulnerability and the MIME Outlook Express email exploit are available at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

and

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

3. Don't open unknown email attachments! Everyone--especially those who use Outlook or Outlook Express--should take care not to open attachments they're not expecting.
4. Turn off Javascript and auto-preview in your browser's Preferences folder under the Edit menu:

Internet Explorer 5: Open Edit -> Web Browser -> Java and make sure "Enable Java" is unchecked
Netscape 6: Open Edit ->Preferences -> Advanced and uncheck all the Java options
Netscape Communicator 4.7: Open Edit ->Preferences -> Advanced and uncheck all the Java options

Note: Microsoft recently released a IIS lockdown tool that will secure even an unpatched IIS server against many common attacks. For details, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp

References:

• Symantec's information on Nimda, with complete instructions on how to remove it:
  http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
• F-Secure's virus descriptions page:
  http://www.f-secure.com/v-descs/nimda.shtml
• Microsoft's information page
  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
• Frequently asked questions regarding Nimda vulnerability and the patch:
  http://www.microsoft.com/technet/security/bulletin/fq00-078.asp
• UO Departmental Computing Group mailing list's discussions about Nimda solutions for server administrators:
  http://darkwing.uoregon.edu~/consult/deptcomp/2001/datelist.html
• The FBI's National Infrastructure Protection Center (NIPC)'s advisory on potential denial of service attacks:
  http://www.nipc.gov/warnings/advisories/2001/01-021.htm