The Nimda worm was detected on September 18 and got widespread
on a global scale within less than 24 hours. The E variant
of Nimda appeared on Oct 29 and as its predecessor, became
idespread
in just a day. Nimda’s fast spreading is due to its
multiple modes of propagation, as mass-mailer, as net-crawler
through shares, and through infecting Microsoft IIS web
servers. Unexpectedly, Nimda
proved to also have a "companion" mode of infection
through which it infects applications that it selects from
the startup queue, including antivirus programs.
Typical signs: The reporting of any of the following
offensive files by IV Interceptor, or IV Administrator in
the enterprise environment, is indicative of the Nimda worm:
Readme.exe or readme.eml, sample.exe or sample.eml, Load.exe,
or Admin.dll.
When browsing a compromised webpage, the user will be prompted
to download an attachment named 'readme.eml', which
is actually a copy of the worm itself. As soon as the download
completes, the attachment will automatically open in Outlook
and execute, without showing the presence of the attachment.
On execution, the worm will copy itself as load.exe and
modify the ‘shell’ entry in System.ini and add
itself as shell=exporer.exe load.exe -dontrunold
IV Interceptor warns on the latter through its startup apps
monitor (SAM).
Risks: Nimda constitutes a serious risk through
the ways it compromises security and degrades overall system
performance.
Propagation: Nimda can be contracted from just opening
an affected e-mail, visiting a compromised web page, of
being passively installed to the local machine from a compromised
server or remote user, through an open share or backdoor.
On an infected machine, Nimda will search for htm, html
and asp files and append its JavaScript to the file. The
script contains an 'open' instruction to download or run
the 'readme.eml', or 'sample.eml' attachment on the surfer's
machine.
Prevention: IV Interceptor blocks Nimda from executing
and prevents becoming infected.
©NetZ Computing manufacturers of InVircible
Back
