Friday, November 18, 2005


Just when fears surrounding Code Red and its scandalous relatives started to fade, another devastating worm appeared. Named by spelling “admin” backward, Nimda reared its ugly head in September 2001 and caused considerable panic among system administrators who scrambled to shore up their vulnerable systems.
Nimda assaults as many as 16 known vulnerabilities in both workstations (and clients) and servers running Windows 95/98/Me/NT/ 2000, even searching for holes created by previous notorious worms.
This intricate threat works by locating and infecting EXE (executable) files on a local computer, causing the worm to spread if the victimized user shares the files with other users. Next, Nimda gathers email addresses from the local computer’s email client (and local HTML files) and sends one email message to each address, complete with an attachment called Readme.exe. If the initial attempt is unsuccessful, the worm resends the infected email messages every 10 days. Depending on security settings, this attachment automatically runs on PCs using Microsoft Internet Explorer 5.5 SP1 or earlier (except Internet Explorer 5.01 SP2), thereby infecting the computer without user interaction. Otherwise, Nimda infects the computer if or when the user double-clicks the attachment.
Nimda tweaks several Windows security settings and begins scanning online for vulnerable IIS servers, seeking backdoors created by Code Red II and the sadmind/IIS worm. If it’s successful in its search, the worm places its code on the servers. At this point, Nimda’s activity grows increasingly alarming, as it modifies random web pages with JavaScript code to infect any users who try to access the pages. Nimda also traverses local networks, seeking directories that allow file sharing with a Guest account and no password, and upon finding one, it inserts a system file that automatically infects DOC (document) and EML (email) files upon execution by any user.
According to CAIDA, Nimda infected 160,000 hosts at its peak and caused significant slowdowns across the Internet. Its most significant impact, however, was probably the panic caused by its ability to infect computers using a wide range of resources, some of which infected computers automatically. And because of Nimda’s multifaceted approach (if it failed to infect a system using one method, it tried another), it often avoided anti-virus software’s detection.
Nimda prompted a push for stricter computer security more than any other single virus, worm, or Trojan horse in recent memory, and that push continues—with Nimda entrenched firmly in system administrators’ memories.


Post a Comment

<< Home