And Now: The "W32.Nimda" Virus

[Bozo Galora]

Latest worm virus hits e-mail inboxes by August Cole

An e-mail virus along the lines of the recent "Code Red" worm has begun to appear in inboxes, targeting the same sort of Microsoft software used with Windows NT or Windows 2000. The said it's FBI is looking into the "W32.Nimda" virus though the agency did not indicate if the program is linked to last Tuesday's terrorist attacks, the Associated Press reported. It appears tens of thousands of computer users are affected.

 

[pcmodem]

Yeah, that Nimba virus has been causing a lot of network traffic. Been reading about it everywhere.

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

-PCM

 

[Viper GTS]

That might explain the insane call volume today.

Exactly the same impact Code Red & it's variants had, we're fvcked today.

Viper GTS

 

[BDawg]

How sad...it doesn't even try to disguise the .exe payload as something else...



<< Was it over when the Germans bombed Pearl Harbor? Hell no! >>



And it's not over now!

 

[amnesiac]

as harsh as it sounds, I feel that people who propagate the spread of the virus get what they deserve. There's no reason to launch random email attachments. Most people SHOULD know better than this given the frequency with which stuff like this occurs.

 

[nakedfrog]

It's actually a self-propagating worm, which can spread itself across a network without the email being activated. It seems to have some pretty nasty effects (especially on a NT4 box).
Anyone got any news on the cleanup procedure?

 

[bunker]

Dammit! Does this mean another 400 warnings a day from Zone Alarm?!?

I'm at work so I can't check it at home.

 

[HowardStern]

I red the referenced webpage. Wouldn't you have to actually run the readme.exe that's attached to the email to infect your computer?

 

[RSI]

Aren't people smart enough not to run a readme.exe? Come on, that's so damn obvious. You don't have to be a computer genius to know that EXE files are EXECUTABLE files, and TEXT DOCUMENTS ARE'NT EXECUTABLE FILES!

Now if it was a readme.txt and could still somehow infect computers, then it could be bad. But then again avoiding attachments altogether is the best way to not get a virus.

Viruses is suck.

-RSI

 

[DefRef]

Many people have the "hide extensions of known file types" box checked and can't see that it's an EXE. They also don't recognize the difference between program and Notepad icons.

 

[Damaged]

<< Aren't people smart enough not to run a readme.exe? >>


NO

See, those people are NIMRods, where as this virus is Nimda (probably pronounced Nim-duh with those people in mind).

 

[nakedfrog]

Never underestimate the power of human stupidity.
Ever.

There seems to be a dearth of information on this one thus far, I still haven't figured out how to clean this stuff up.

 

[kikokam]

sucks... just heard about it at work from our networking group.....

 

[Bozo Galora]

This thing is NASTY!:

W32/Nimda-A

Aliases
W32.Nimda.A@mm, Code Rainbow, Minda, Nimbda

Type
W32 executable file virus

Detection
A virus identity file (IDE) which provides protection is available now from the
Latest virus identities section, and will be incorporated into the November
2001 (3.51) release of Sophos Anti-Virus.

Sophos has received many reports of this virus from the wild.

Please note: The IDE has been updated on 18 September at 19:45 BST to
improve detection of this virus.

Description
W32/Nimda-A is a Windows 32 virus which spreads via email, network shares
and websites.

Affected emails have an attached file called README.EXE. The virus attempts
to exploit a MIME Vulnerability in some versions of Microsoft Outlook,
Microsoft Outlook Express, and Internet Explorer to allow the executable file to
run automatically without the user double-clicking on the attachment.

The virus copies itself into the Windows directory with the filenames load.exe
and riched20.dll (both have their file attributes set to "hidden"), and attempts to
spread itself to other users via network shares.

The virus alters the System.ini file to include the line

shell=explorer.exe load.exe -dontrunold

so that it executes on Windows startup.

The virus forwards itself to other email addresses found on the computer.
Furthermore, the virus looks for IIS web servers suffering from the Unicode
Directory Traversal vulnerability. It attempts to alter the contents of pages on
such servers, hunting for the following filenames:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp

link

 

[Bozo Galora]

Ooops.
Forgot to mention..... as above - YOU DONT HAVE TO CLICK ON IT!! (and be stupid)

 

[MrBond]

Didn't MS fix that MIME bug? If not, I better get norton doing email scans again, some of the people with my email account aren't the sharpest tools in the shed.

Does this one use a malformed MIME header like SirCam does? Anyone know?

 

[wildwildwes]

My IIS server got infected with this last night. It's bad stuff. It changed ALL my web page files to contain the virus attachment. I fixed it for now by stopping the server and all the suspicious programs, but my web files are still messed up. Hopefully there will be a fix for this when I get back from class so I don't have to do it myself.

 

[Electrode]

Ok, the virus can run WITHOUT the luser in question running the attachment? How?

 

[Syringer]

This virus is just making things worse...

 

[Emulex]

heh i love these new holes, good for my business... if you want to test your winNT or 2k box, see my sig.

 

[nakedfrog]

From an InfoWorld article
"A NEW WORM that can infect all 32-bit Windows computers
and propagates using multiple methods has spread
across the world Tuesday morning, according to Roger
Thompson, technical director of malicious code at TruSecure.

The worm, called Nimda (admin spelled backwards), can
spread via e-mail attachments, HTTP, or across shared
hard disks inside networks, Thompson said. The worm
can infect all 32-bit Windows systems -- Windows 98,
2000, Millennium Edition, XP, NT -- because it scans
systems for between 10 and 100 different
vulnerabilities and exploits them when found, he said."

 

[Nimloth]

we got a couple of boxes infected with this sh!t...

Norton AntiVirus starts quarantining infected files, which include Windows System files which leads to blue screens on startup.

What's making me mad is that noone has instructions on removal yet >:|

 

[Russ]

Both my servers are getting hammered with attempts right now. Damn, just when Code Red had finally slowed down.

Shux posted this URL scan tool. It uses rule sets to bounce these requests and turns them in to tidy little 404s. It will help keep your log file size down.

Russ, NCNE

 

[Medea]

For those of you who have firewalls, I'm sure you've noticed the outrageous amount of incoming alerts you've gotten today. NIMDA is pinging desktops and servers whether or not you've got IIS installed. I've deflected well over 200 incoming alerts today alone on my desktop. You'll also notice that the majority of the incoming attempts are probably very close to your ISP's IP address.

Although only Windows systems are affected, this time this worm includes Windows desktops, servers, etc., whether running IIS or not (unlike Code Red). Viewing a page from an infected IIS server may be enough to infect a desktop system, because of the applet the virus launches. The "swiss army knife" analogy in this article is really good. Of course, regardless of the OS you use, the collateral damage is still high in terms of the high level of traffic this thing is producing.

For more info, see Cert's article.

 

[SerraYX]

All the local high-tech offices are getting smacked with this, hard.