Five mods of Nimda detected. (Virus Notes).

Since "Nimda" was discovered on September 18, 2001 Kaspersky Labs has detected five more modifications of this network worm. Some of them have already been seen "in-the-wild' but fortunately none of them has caused an epidemic compared to the original one. Kaspersky Labs recommends users to carefully read the descriptions of the recently discovered Nimda modifications and to download the latest Kaspersky Anti-Virus Kaspersky Anti-Virus (Russian: Антивирус Касперского; formerly known as AntiViral Toolkit Pro) is an antivirus program developed by Kaspersky Lab. database updates to prevent infection.

Nimda. a

The original worm discovered on September 18, 2001.

"Nimda" penetrates a computer in several different ways:

First of all, via e-mail:, an infected e-mail in HTML HTML
in full HyperText Markup Language

Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. format, containing several embedded objects enters a target computer. Upon viewing the emtail, one of the objects (named README.EXE Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth. , about 57Kb size) is automatically executed unbeknownst to the; user. In order to accomplish this, the worm exploits a breach in Internet Explorer's security that was first detected in March of this year.

Secondly, while surfing infected Web sites: in place of the original Web site, a user is shown its modified version containing a malicious Java program, which downloads and starts the "Nimda" copy on a remote computer, using the aforementioned breach.

Thirdly, via the local network: the worm scans all accessible network resources, dropping thousands of copies of itself here. This is done with the idea that upon finding the file on a disk or server, a user will single-handedly infect his/her own computer.

In addition to penetrating workstations, "Nimda" also carries out an attack on Web servers running under Microsoft Interact Information Server (IIS (Internet Information Services) Microsoft's Web server. IIS runs under the server versions of Windows, adding HTTP server capability to the Windows operating system. ). To do this it exploits a breach in IIS called "Web Server Folder Traversall' as described in the corresponding Microsoft security bulletin.

Nimda. b

Slightly modified original "Nimda" worm, but compressed with PCShrink utility. The filenames "README-EXE" and "README.EML EML - Extended ML. A language for formally specifying SML programs.

["Formal Program Development in Extended ML for the Working Programmer", D. Sannella, Proc 3rd BCS/FACS Workshop on Refinement", Springer 1990]. " are replaced with "PUTA!I.SCR (Sequence Control Register) See program counter. " and "PUTA!!.EML".

Niinda. c

This is exactly original "Nimda" worm, but compressed by UPX UPX Ultimate Packer for eXecutables
UPX Ulead Photo Express compressor compressor, machine that decreases the volume of air or other gas by the application of pressure. Compressor types range from the simple hand pump and the piston-equipped compressor used to inflate tires to machines that use a rotating, bladed element to achieve .

Nimda. d

Slightly modified original "Nimda" worm, but compressed with PECompact utility. The only difference with the original worm is "copyright" text strings are patched in thio version with following text:

"HoloCaust Virus.! V.5.2 by Stephan Fernandez.Spain".

Nimda. e

This is recompiled "Nimda" variant with several subroutines fixed and optimized. This variant was found in-the-wild at the end of October 2001. The visible differences with original worm version are: The attached file name: SAMPLE.EXE (instead of README.EXE)

The DLL (1) See data link layer.

(2) (Dynamic Link Library) An executable program module in Windows that performs one or more functions at runtime. DLLs are not launched by the user; they are called for by an executable program or by other DLLs. files are: HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL) The "copyright" text is replaced with..

Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

www.kaspersky.com

COPYRIGHT 2001 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Publication:	Database and Network Journal
Geographic Code:	4EXRU
Date:	Dec 1, 2001
Words:	432
Previous Article:	Baltimore Threat Lab. (Virus Notes).
Next Article:	Email Security Testing Zone: (Internet Focus).
Topics:	Computer software industry Services Computer viruses Protection and preservation Data security Services Software Software industry Services

Related Articles
NIMDA WORM MAY BE PEAKING, HARD TO TRACK.
Costs of Virulent Computer Bug Continue to Accumulate.(Nimda worm affects computer networks, tips for avoiding future problems)(Brief Article)
Nimda - how it works. (VIRUS NOTES).
2001 anti virus review: Kaspersky Labs presents a year-end review of events taking place in anti-virus safety. (Security).
Top ten viruses and hoaxes reported to Sophos in May 2002. (Security).
Microsoft SQL labs selects Netscreen to protect against Code Red, NIMDA attacks.
Windows 32 viruses rule the waves--Sophos. (Virus Notes).
GFI email exploit engine. (Virus Notes).
Top Ten Viruses and Hoaxes in July 2002.
Klez worm most prolific virus of year. (Virus Notes).