19 September 2001

Excerpts: New Worm Spreads Through Internet, Experts Warn

A new worm program is propagating on the Internet, according to monitoring organizations, and it could cause delays in traffic on the worldwide information network.

The new worm is being called "W32.Nimda.A@mm," and the CERT Coordination Center (CERT/CC) at the Carnegie Mellon Software Engineering Institute says that it is designed to exploit system vulnerabilities that emerged as a result of the Code Red Worm, which spread through the international network in July and August 2001.

A computer worm is a destructive program that can spread on its own. W32.Nimda enters vulnerable computers using Microsoft Windows programs and multiplies through e-mail to other users, network shared files available to a computer, and from a Web server to a client through a compromised Web site, according to warnings issued by CERT/CC.

Attorney General John Ashcroft included a warning about the new worm in a September 18 briefing primarily devoted to the investigation into the September 11 terrorist attacks. He said W32.Nimda is not thought to be related to the four airliner hijackings and their crashes, despite some concerns those incidents might be followed by attempts to sabotage critical infrastructure.

Ashcroft said, "I'm pleased to say that I understand that most of the antivirus companies have posted the files needed to protect unprotected computers, and those files obviously are available at this time."

Industry and government organizations work in a coordinated way with the appearance of such a threat to the Internet to advise users on how a worm propagates, what to look for to avoid corruption, and how to protect the vulnerabilities in computer systems. Software manufacturers have also developed system "fixes" that correct the system vulnerability and are made available to users at no cost. More specific information is available in the texts below.

Following are excerpts of warnings issued by the National Infrastructure Protection Center (NIPC) and CERT/CC:

(begin excerpt)

NATIONAL INFRASTRUCTURE PROTECTION CENTER

"Mass Mailing Worm W32.Nimda.A@mm"

09/18/2001

The National Infrastructure Protection Center (NIPC) has received numerous reports that a new worm, named W32.Nimda.A@MM, is propagating extensively through the Internet worldwide. The worm is exhibiting many traits of recently successful malicious code attacks such as CODE RED but it is not simply another version of that worm.

The Nimda worm threatens Microsoft Internet Information Services on Windows 2000 and NT web servers and also individual users running Microsoft Outlook or Outlook Express for their mail service on any Windows platform (95, 98, and Millennium Edition). Preliminary analysis indicates that once a server is infected it will begin to scan for more vulnerable systems on the local network, which may result in a denial of service for that network. In the case of infected workstations as well as servers, the worm also makes the entire contents of the local primary hard drive (e.g. C Drive) available over the network. It is also believed that an additional user is added with administrative rights.

A computer can become infected through a variety of means ranging from simply viewing an infected webpage using a browser with no security enabled, to opening a malicious email attachment.

The NIPC and several other labs continue to analyze the Nimda worm. Expect additional updates in the near future. For the moment, system administrators and individual users should consider taking the immediate actions detailed below to protect their systems.

For system administrators:

Take appropriate steps to prevent the worm's attempts to distribute itself through the following means:

HTTP SCANNING for IIS vulnerabilities: --IIS MSDAC /root.exe --IIS UNICODE decoding cmd.exe --CODERED /root.exe --frontpage /cmd.exe

EMAIL (via IFRAMES and javascript) --readme.eml --readme.exe --getadmin.exe

TFTP DOWNLOADS --getadmin.exe --Admin.dll --Getadmin.dll

INTERNET EXPLORER HTTP iframe and javascript autoexec --readme.eml --readme.exe

OPEN WINDOWS FILE SHARING --readme.exe --readme.eml

For individual users:

Do not read or accept unexpected email file attachments. These emails should be deleted. Make sure browser security is enabled.

The anti-virus software industry is aware of this worm and has created a signature file to detect and remove it. Full descriptions and removal instructions can be found at various anti-virus software firms websites, including the following:

http://www.antivirus.com (Trend Micro) http://www.ca.com (Computer Associates) http://www.symantec.com http://vil.nai.com (McAfee)

Microsoft has posted critical updates at the following sites:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp

As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates, and to check for alerts put out by the NIPC, CERT/CC and other cognizant organizations.

Recipients of this advisory are encouraged to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to the other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or [email protected]. (end excerpt)

(begin excerpt)

This is a joint press release from:

The Partnership for Critical Infrastructure Security (PCIS)
The Information Technology Association of America (ITAA)
The National Infrastructure Protection Center (NIPC)
The SANS Institute (System Administration, Networking and Security)
The CERT Coordination Center

GROUPS WARN PUBLIC OF INTERNET WORM W32.NIMDA.A@MM

In a press briefing today, the Attorney General advises that there is currently no evidence that this event is linked to the attacks last week at the World Trade Center and Pentagon.

The worm clogs parts of the Internet, slows or stops Internet traffic for some users and may damage files on infected computers. User machines that are infected by this worm might see an increase in scanning as the worm tries to compromise IIS servers. Many sites are experiencing high volumes of e-mail and network traffic as a result of this activity.

The worm spreads in multiple ways. For example, the worm infects systems by computer users opening certain attachments, i.e., "readme.exe," -or- ".wav" files. In corporate networks using IIS version 4 or 5, the worm allows the attacker to gain control over an infected server by exploiting the buffer overrun. Home users running Windows 95 or 98 are also vulnerable.

Please go to for preventive measures and technical details. For those unable to access the advisory site and download a patch, please consult your software manufacturer.

This industry and government partnership will provide additional information as it becomes available.

(end excerpt)

(begin excerpt)

CERT Advisory CA-2001-26 Nimda Worm

Systems Affected

-- Systems running Microsoft Windows 95, 98, ME, NT, and 2000

Overview

The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:

-- from client to client via email

-- from client to client via open network shares

-- from web server to client via browsing of compromised web sites

-- from client to web server via active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability (VU #111677)

-- from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms

Initial analysis indicates that the worm contains no destructive payload beyond modification of web content to facilitate its own propagation.

We are also receiving reports of denial of service as a result of network scanning and email propagation.

I. Description

The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000.

Email Propagation

This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable.

Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.

The email message delivering the Nimda worm appears to also have the following characteristics:

-- The text in the subject line of the mail message appears to be variable, but those seen to date have been over 80 characters long.

-- There appear to be many slight variations in the attach binary file, causing the MD5 checksum to be different when one compares different attachments from different email messages. However, the file length of the attachment appears to consistently be 57344 bytes.

Payload

Infected client machines attempt to send copies of the Nimda worm via email to all addresses found in the Windows address book.

Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit the IIS Directory Traversal vulnerability (VU #111677). The selection of potential target IP addresses follows these rough probabilities:

-- 50% of the time, an address with the same first two octets will be chosen

-- 25% of the time, an address with the same first octet will be chosen

-- 25% of the time, a random address will be chosen

The infected client machine transfers a copy of the Nimda code to any server that it scans and finds to be vulnerable. Once running on the server machine, the worm traverses each directory in the system (including all those accessible through a file shares) and write a copy of itself to disk using the name "README.EML". When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files:

This modification of web content allows further propagation of the worm to new clients through a browser or browsing of a network file system.

Browser Propagation

As part of the infection process, the Nimda worm modifies all web content files it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system.

File System Propagation

The Nimda worm creates numerous copies of itself (using the name README.EML) in all writable directories (including those found on a network share) to which the user has access. If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer with the preview option enabled, the worm may be able to compromise that system....

II. Impact

Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. Host that have been compromised are also at high risk for being party to attacks on other Internet sites.

The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.

III. Solutions

Recommendations for System Administrators of IIS machines

To determine if your system has been compromised, look for the following:

-- root.exe artifact (indicates a compromise by Code Red II or sadmind/IIS worms making the system vulnerable to the Nimda worm)

-- admin.dll artifact or unexpected .eml files in the directories with web content (indicates compromise by the Nimda worm)

The only safe way to recover from the system compromise is to format the system drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network. However, if sufficient care is taken to disable all server network services, then the patches can be downloaded from the Internet.

Detailed instructions for recovering your system can be found in the CERT/CC tech tip:

Steps for Recovering from a UNIX or NT System Compromise http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Apply the appropriate patch from your vendor

A cumulative patch which addresses all of the IIS-related vulnerabilities exploited by the Nimda worm is available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Recommendations for End User Systems

Apply the appropriate patch from your vendor

If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends applying patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Run and Maintain an Anti-Virus Product

It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.

Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

Don't open e-mail attachments

The Nimda worm may arrive as an email attachment named "readme.exe". Users should not open this attachment.

Disable JavaScript End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable JavaScript.

Appendix A. Vendor Information

Antivirus Vendor Information

Central Command, Inc.

http://support.centralcommand.com/cgi-bin/command.cfg/php/endus er/std_adp.php?p_refno=010918-000005

Command Software Systems

http://www.commandsoftware.com/virus/nimda.html

Data Fellows Corp

http://www.datafellows.com/v-descs/nimda.shtml

McAfee

http://vil.mcafee.com/dispVirus.asp?virus_k=99209&

Sophos

http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

Symantec

http://www.symantec.com/avcenter/venc/data/[email protected]

Trend Micro

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName= TROJ_NIMDA.A

http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5. asp?VName=TROJ_NIMDA.A

You may wish to visit the CERT/CC's computer virus resources page located at

http://www.cert.org/other_sources/viruses.html

References

Authors: Roman Danyliw, Chad Dougherty, Allen Householder, Robin Ruefle

This document is available from: http://www.cert.org/body/advisories/CA200126_FA200126.html

CERT/CC Contact Information

Email: [email protected] Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

To be added to our mailing list for advisories and bulletins, send email to [email protected] and include SUBSCRIBE your-email-address in the subject of your message.

-- "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.