Tools:   Web Probe  |  World-Wide WHOIS  |  Trace Route  |  Nimda Self Test  |  Code Red Self Test  |  W32.Bugbear
Nimda Self Test

What is the Nimda Worm?
The Nimda worm, also known as W32.Nimda.A@mm, Code Rainbow, Minda, Nimbda, is a self-replicating piece of software that infects IIS web servers as well as users running Internet Explorer 5. It was first seen in the wild on Tuesday, Sept 18th at around 9a.m. The worm propogates in at least 4 different manners, including:

This worm is reported to be extremely aggressive in its scans, and according to various alerts is spreading rapidly.

Signature
The Worm checks systems for a number of different possible entry points. The following log file extract is from an Apache system that is being actively scanned by other sites:

"GET /scripts/root.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"

Test Me Now
If you are running your browser from the same system running your web server, simply click the following button to determine if your web server susceptible or has been exploited by the Nimda Worm.


(Please be patient - it takes about 30 seconds to run the test, so wait until the page appears!)
How Do I Stop It?
We recommend that users take the steps of upgrading their versions of IIS to the latest, ensuring that they apply all security patches. Users of Internet Explorer should also take care to update their browsers.

References
Incidents.org
TruSecure
Symantec
Newsbytes
F-Secure
Sophos



© 1998-2024 E-Soft Inc. All rights reserved.