English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
   Partner Programs  |  Testimonials  |  In Press  |  Mailing Lists  |  About Us |  |  Contact Us  |  Privacy  |  Abuse
 Tools:   Web Probe  |  World-Wide WHOIS  |  Trace Route  |  Nimda Self Test  |  Code Red Self Test  |  W32.Bugbear
 
Nimda Self Test

What is the Nimda Worm?
The Nimda worm, also known as W32.Nimda.A@mm, Code Rainbow, Minda, Nimbda, is a self-replicating piece of software that infects IIS web servers as well as users running Internet Explorer 5. It was first seen in the wild on Tuesday, Sept 18th at around 9a.m. The worm propogates in at least 4 different manners, including:

  • Attempts to exploit numerous different IIS exploits, including the Unicode exploit and infections by previous worms (SAdminD/Code Red II), and on infection, begins a new attack cycle.
  • Modification of web pages on a web server, which when viewed by IE 5.0, will cause IE to execute malicious code which infects a user's system. Note - the user does not need to be running IIS.
  • Harvesting of mail addresses in address books and cached web server pages on user systems that become infected, delivering infected attachments to other users that will automatically execute if opened.
  • Propagation via file sharing on shares accessible via user guest and where no password has been set.
This worm is reported to be extremely aggressive in its scans, and according to various alerts is spreading rapidly.

Signature
The Worm checks systems for a number of different possible entry points. The following log file extract is from an Apache system that is being actively scanned by other sites:

"GET /scripts/root.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"

Test Me Now
If you are running your browser from the same system running your web server, simply click the following button to determine if your web server susceptible or has been exploited by the Nimda Worm.


(Please be patient - it takes about 30 seconds to run the test, so wait until the page appears!)
How Do I Stop It?
We recommend that users take the steps of upgrading their versions of IIS to the latest, ensuring that they apply all security patches. Users of Internet Explorer should also take care to update their browsers.

References
Incidents.org
TruSecure
Symantec
Newsbytes
F-Secure
Sophos


Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2017 E-Soft Inc. All rights reserved.