|
2106148 : Nimda worm propagation |
|
High RiskQuick Links
- Event Description
- Products that have this security check
- Affected platforms
- How to remove this vulnerability
- References
- Information about this document
Event description
The Nimda worm is similar in functionality to the Code Red worm and its derivatives. The Nimda worm attempts to identify vulnerable Microsoft IIS servers by using several Unicode Web Folder Traversal vulnerability attack strings to probe for vulnerable IIS systems and deface them. Nimda can infect any Windows system and then propagate by emailing copies of itself to individuals in MAPI (Messaging Application Programming Interface) address books, or by identifying and infecting vulnerable IIS servers.
Nimda takes advantage of standard email distribution techniques to broaden the range of target hosts. Instead of only attacking Web servers with Web server vulnerabilities, Nimda is designed to also propagate using spoofed email. The email is spoofed to appear to have been sent by trusted sources. Nimda relies on extensive local propagation once a system is infected. It replaces '.dll', '.eml', '.nws' files on all shared drives. It also appends itself to all '.htm', '.html', and '.asp' files on the infected system. This also allows the worm to spread to remote users when they access Web pages on infected servers.
For additional information regarding the "Nimda" worm, refer to Internet Security Systems Security Alert #97. See References.
Products that have this security check
- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- Proventia Desktop
- Proventia Network IDS
- Proventia Network IPS
- Proventia Network MFS
- Proventia Server IPS for Linux technology
- Proventia Server IPS for Microsoft Windows technology
- RealSecure Desktop
- RealSecure Desktop Protector
- RealSecure Desktop Protector 3.6
- RealSecure Guard
- RealSecure Network
- RealSecure Sentry
- RealSecure Server Sensor
| HTTP_Nimda_Worm | |
This signature looks for HTTP GET access to the file "/scripts/root.exe" or "/MSADC/root.exe" and has a query string that begins with "/c". |
Affected platforms
- Microsoft IIS 4.0Microsoft IIS 5.0Microsoft Windows 2000Microsoft Windows 95Microsoft Windows 98Microsoft Windows MeMicrosoft Windows NT 4.0
How to remove this vulnerability
For Microsoft IIS versions 4.0 and 5.0:
Apply the latest IIS cumulative security patch to prevent Web servers from being compromised by the Nimda worm, as listed in Microsoft Security Bulletin MS02-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS02-018, but it has been superseded by the patch released with MS03-018. See References.
For Microsoft Internet Explorer versions 5.01 and 5.5:
To prevent the automatic execution of email attachments due to an Incorrect MIME headers, apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS01-027. See References.
For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS02-001. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS01-044, but it was superseded by the patch released with MS02-001.
Note: Microsoft originally provided a patch for this vulnerability in MS01-020, but it was superseded by the patch released with MS01-027.
For Windows NT:
Microsoft originally provided a patch for this vulnerability in MS02-001, but it has been superseded with the patch released with MS02-018. See References.
For IIS:
Microsoft originally provided a patch for this vulnerability in MS02-018, but it was superseded by the patch released with MS02-062, and then superseded by the patch released with MS03-018. See References.
Additional information on recovering from a system compromise is available from the CERT Coordination Center Web site. See References.
References
Internet Security Systems Security Alert #97
Aggressive Propagation of Nimda Worm
http://www.iss.net/xforce/alerts/id/advise97
Microsoft Security Bulletin MS03-018
Cumulative Patch for Internet Information Service (811114)
http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx
Microsoft Security Bulletin MS02-062
Cumulative Patch for Internet Information Service (Q327696)
http://www.microsoft.com/technet/security/Bulletin/MS02-062.mspx
Microsoft Security Bulletin MS02-018
Cumulative Patch for Internet Information Services (Q319733)
http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx
Microsoft Security Bulletin MS02-001
Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data
http://www.microsoft.com/technet/security/bulletin/ms02-001.mspx
Microsoft Security Bulletin MS01-027
Flaws in Web Server Certificate Validation Could Enable Spoofing
http://www.microsoft.com/technet/security/bulletin/MS01-027.mspx
National Infrastructure Protection Center Advisory 01-022
"Mass Mailing Worm W32.Nimda.A@mm"
http://www.nipc.gov/warnings/advisories/2001/01-022.htm
CIAC Information Bulletin L-132
Microsoft Cumulative Patch for IIS
http://www.ciac.org/ciac/bulletins/l-132.shtml
Microsoft TechNet
Information on the "Nimda" Worm
http://www.microsoft.com/technet/security/topics/Nimda.asp
CIAC Information Bulletin L-144
The W32.nimda Worm
http://www.ciac.org/ciac/bulletins/l-144.shtml
BugTraq Mailing List, Tue Sep 18 2001 - 19:49:43 CDT
Nimda Worm
http://archives.neohapsis.com/archives/bugtraq/2001-09/0156.html
CERT Coordination Center
Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
F-Secure Computer Virus Information Page
Nimda
http://www.f-secure.com/v-descs/nimda.shtml
Microsoft Security Bulletin MS01-020
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
Microsoft Security Bulletin MS01-044
15 August 2001 Cumulative Patch for IIS
http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
CERT Advisory CA-2001-26
Nimda Worm
http://www.cert.org/advisories/CA-2001-26.html
Common Vulnerabilities and Exposures
A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0660
Information about this document
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.
Copyright © 1997 – 2009 IBM Internet Security Systems. All rights reserved.
This page was created on Thu Jun 11 09:07:09 2009