Printer Friendly
The Free Library
14,559,201 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Nimda - how it works. (VIRUS NOTES).


Nimda, a virus worm has rapidly established itself as another problem. It spreads via the Internet attached to infected e-mails, and copies itself to shared directories over a local network, and also attacks vulnerable IIS (Internet Information Services) Microsoft's Web server. IIS runs under the server versions of Windows, adding HTTP server capability to the Windows operating system.  machines (Web sites). The worm itself is a Windows PE EXE file (EXEcutable file) Pronounced "ex-ee file." The name given to a program in machine language that is ready to run in DOS, Windows, OS/2 and VMS. The name comes from the .EXE extension at the end of the program name; for example: XYZ.EXE.  about 57Kb in length, and is written in Microsoft C A C compiler and development system for DOS/Windows applications from Microsoft. It includes the Windows Software Development Kit (SDK). Version 7.0 added C++ capability and Version 1. ++.

In order to run from an infected message, the worm exploits a security breach. The worm then installs itself to the system, and runs a spreading routine and payload. The worm contains the following "copyright" text string: Concept Virus(CV) V-5, Copyright(C)2001 R.P.China

Installing

While installing, the worm copies itself - to the Windows directory with the MMC See MultiMediaCard and Microsoft Management Console. .EXE Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth.  name - to the Windows system directory with RICHED RICHED Rich Text Editor 2O.DLL (1) See data link layer.

(2) (Dynamic Link Library) An executable program module in Windows that performs one or more functions at runtime. DLLs are not launched by the user; they are called for by an executable program or by other DLLs.  (and overwrites original Windows RICHED2O.OLL OLL Our Lady of the Lake (Catholic Church; Holland, MI)
OLL On-Line Learning
OLL On-Line Love
OLL Off List Lower (rifle receiver)
OLL Oral Lichenoid Lesion
OLL on Line Library  file) and with the LOAD.EXE name. 
The last one is then registered in the
auto-run section in a SYSTEM.INI file.
[boot]
shell=explorer, exe load.exe -dontrunold
The worm also copies itself to a
Temporary directory with random
MEP*.TMP and
MA*.TMP.EXE names, for example:
mepOIA2.TMP
mep1AO.TMP.exe
mepEO02.TMP.exe
mepEO03.TMP.exe
nepEO04.TMP
EXE files have Hidden and System attributes, as well as a
LOAD.EXE file (see above).


The worm then runs its spreading and payload routines. Depending on the Windows version, the worm affects the EXLORER.EXE process, and may run its routines as an EXPLORER' background process (thread).

Spreading via E-mail

In order to send infected messages, the worm connects to a host machine by using SMTP (Simple Mail Transfer Protocol) The standard e-mail protocol on the Internet and part of the TCP/IP protocol suite, as defined by IETF RFC 2821. SMTP defines the message format and the message transfer agent (MTA), which stores and forwards the mail.  protocol, and sends its copies to victim addresses.

In order to obtain victim e-mail addresses, the worm uses two ways:

1. scans *.HTM HTM HyperText Markup (file extension)
HTM Hand To Mouth
HTM harmful-to-minors
HTM Held-to-Maturity
HTM High Tide Mark
HTM Hazlo tĂș mismo (Spanish: do it yourself)
HTM Hierarchical Temporal Memory  and *.HTML HTML
 in full HyperText Markup Language

Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web.  files and looks for e-mail-like strings

2. by using MAP[ connects to MS Exchange e-mail boxes and obtains e-mail addresses from there. 
The infected messages are of HTML format and contain:
Subject: empty or random
Body. empty
Attach: RFADME.EXE


Subjects are chosen from the name of a randomly selected file from a folder: HKCU HKCU Hkey_Current_User (Windows registry)
HKCU Handle Key Current User \Software\Microsoft\Windows\ CurrentVersion\Explorer\Shell Folders\Personal usually this is `My Documents" or a randomly selected file on the C: drive. In order to spread from infected messages, the worm uses an "IFRAME" trick; the vulnerability described at: Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to Execute E-mail Attachment A file that rides along with an e-mail message. The attached file can be of any type. E-mail programs make it easy to attach a file. For example, in Eudora, all you do is select Attach from the Message menu, browse through the folder hierarchy to find the file you want and then double  http://www.microsoft.com/ technet/security/bulletin/MS01-020.asp Download patch: http://www.microsoft.com/windows/ie/downloads/critical/ q290108/default.asp

What causes the vulnerability?

If an HTML mail contains an executable attachment, whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue.

What does the patch do?

The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This has the effect of preventing e-mails from being able to automatically launch executable attachments.

Spreading via the local network The worm scans local and shared (mapped) remote drives in three different manners, and infects all accessible directories in there.

While infecting, the worm uses two different ways:

1. It creates .EML EML - Extended ML. A language for formally specifying SML programs.

["Formal Program Development in Extended ML for the Working Programmer", D. Sannella, Proc 3rd BCS/FACS Workshop on Refinement", Springer 1990].  (in 95%) or .NWS NWS National Weather Service
NWS Naval Weapons Station
NWS New World Symphony
NWS Nuclear Weapon State
NWS Not Work Safe
NWS National Watercolor Society
NWS North Warning System
NWS Nose Wheel Steering
NWS National Waste Strategy (UK)  (in 5%) files with randomly selected names. As a result, these EML and NWS files are everywhere on an infected machine (and in the local network), and there may be thousands of them. These files contain the worms copy in e-mail form. The e-mail form is an HTML e-mail message with the worm's copy in an MIME envelope, and with a IFRAME trick as described above. Upon being opened, this message immediately infects a vulnerable machine.

2. The worm looks for filgname+extension combinations *DEFAULT* *INDEX* *MAIN* *README* + .HTML, .HTM, .ASP

(*NAME* means that may be a sub-string in the file name) In case such file is found, the worm copies itself in e-mail form to there with the README.EML name, and appends to a victim's HTM/ASP file a JavaScript program that simply opens the README.EML file when the HTML/ASP file is being opened, and it activates the worm as a result. As a result, the worm infects Web pages, and may spread to machines that visit these Webs.

Spreading as an IIS attack

To upload its file to a victim's machine, the worm uses a `tftp" command, and activates a temporary TFTP server on an infected (current) machine to process the `get data" command from the victim's (remote) machine in exactly the same way as the ("BlueCode:IISWorm-BlueCode) IIS worm. 
The name of file that is uploaded to a victim's machine is
ADMIN.DLL.
Payloads
The payload routine adds "Guest" user to the Administrator
User Group (as a result, a "Guest" user has full access to an
infected machine).
The worm also opens all local drives for sharing.
www.kaspersky.com,
Nimda Protection Sources
Sophos
Sophos has issued protection against the Nimda virus, which
can be found at:
http//.sophos.com/virusinfo/analyses/w32nimdaa.html
GFI


Mail essentials for Exchange/SMTP is an email content checking and anti-virus solution that removes all types of email-borne threats before they can affect an organisers email users. Spare, viruses, dangerous attachments and offensive content can be removed before the email users can receive them. More information can be found at http://www.gfi.com/mesindex.htm Kaspersky

The latest Kaspersky anti-virus update urges the immediate installation of the Interact explorer and IIS patches that block the breaches. These patches not only repel "Nimda" attacks, but those of similar worms that could appear in the future.

www.kaspersky.com
COPYRIGHT 2001 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Publication:Database and Network Journal
Geographic Code:1USA
Date:Oct 1, 2001
Words:937
Previous Article:Security: your PDA could land your boss in court.
Next Article:"Blue code": worm that fights "Code Red" and IIS-servers. (VIRUS NOTES).
Topics:



Related Articles
NIMDA WORM MAY BE PEAKING, HARD TO TRACK.
Costs of Virulent Computer Bug Continue to Accumulate.(Nimda worm affects computer networks, tips for avoiding future problems)(Brief Article)
Technology. (Barely Making the Grade).(Los Angeles high-technology industry happenings and trends)(Brief Article)
Five mods of Nimda detected. (Virus Notes).
2001 anti virus review: Kaspersky Labs presents a year-end review of events taking place in anti-virus safety. (Security).
Top ten viruses and hoaxes reported to Sophos in May 2002. (Security).
Windows 32 viruses rule the waves--Sophos. (Virus Notes).
GFI email exploit engine. (Virus Notes).
Top Ten Viruses and Hoaxes in July 2002.
Klez worm most prolific virus of year. (Virus Notes).

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles