New studies reveal Nimda's tenacity

As companies struggle to clean their networks of the malicious program, security experts finally post complete analyses of the worm.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
Nimda's number may not be up.

Security consultants stressed Friday that while the spread of the disruptive Nimda worm has slowed, many companies are having difficulties rousting the malicious program from their networks.

"It's an awfully insidious little bastard," said Mike Scher, senior research consultant with network-protection company Neohapsis. "You clean it off of one segment of the network and have to make sure it doesn't come back. It's almost like fighting a fire."

After successfully preventing Nimda from entering its network, Scher's client--a Forture 500 company--picked up the worm from an employee working from home. After that, the program spread quickly throughout the corporation's worldwide offices.

"This is a huge organization, so there are lots of infections," said Scher, who had been working 48 hours to clean the digital infestation from the network. "It's a terrible pain to get off."

The tenacious worm also caused several Internet service providers to take drastic steps to block customers from spreading the worm and overloading their networks with traffic.

XO Communications acknowledged on Friday that the company severed almost a quarter of its customers' Web servers from the Internet in an attempt to halt the deluge of data produced by the worm.

"Many of our customers are small businesses," XO spokeswoman Jenna Dee said. "They bring in an IT person to set up their network and don't have a full-time technical employee. Those types of businesses are the most susceptible to these attacks."

Another Internet service provider, DSL.net, completely cut off hundreds of its customers after it became apparent that their computers had been infected by the worm, according to customers' reports. DSL.net did not immediately respond to requests for comment.

The Nimda worm hit so quickly--peaking within 6 hours--and caused so much havoc that accurate analysis of the worm has been delayed.

For example, earlier this week, antivirus software company Symantec originally classified removal of the Nimda worm as "easy," but 24 hours later it changed that evaluation.

The latest information shows that the Nimda worm's extensive replacement of key files and programs on infected PCs and its use of Windows file sharing to spread across local area networks have made it difficult to clean out.

Nimda--which is "admin," the shortened form of "system administrator," spelled backwards--started spreading early Tuesday morning and quickly infected PCs and servers across the Internet. Also known as "readme.exe" and "W32.Nimda," the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000 and Windows NT.

The worm spreads by four different routes. Microsoft has posted an extensive list of patches and advisories to combat the worm.

The worm originally spread quickly by broadly scanning local networks and the Internet for Web servers running Microsoft's Internet Information Server software that were vulnerable to one of two well-known flaws.

First, if the server had already been compromised by the Code Red II worm, then Nimda used that backdoor to copy itself to the server as a file named "admin.dll." For all other IIS servers, the program attempted to use the "Web server folder traversal" vulnerability discovered in October 2000 to copy the file "admin.dll" to the server.

Once the file is copied to the computer, the worm executes it and infects the new victim. On such servers, the worm creates a "guest" account with administrative privileges, copies itself to any network drives, makes the C: drive publicly accessible, and appends a script to HTM, HTML and ASP files.

The files will attempt to upload a copy of the worm to the computer of anyone who views a Web page hosted by the infected computer using a browser with JavaScript enabled. The worm also deletes the keys in the registry that set the security preferences for the computer and also causes itself to be run at start-up.

The ability to infect others through viewing a Web page is the Nimda worm's second path of infection.

The snippet of JavaScript added to each Web file on an infected server will cause the worm, renamed "readme.eml," to upload from the server to the surfer's computer. The worm will run automatically on PCs using unpatched versions of Microsoft's Internet Explorer 5.5 SP1 or earlier. On any browser with JavaScript enabled, the worm's script will cause the browser to try to upload the code but will first ask the PC user's permission.

PCs can also be infected through the worm's third mode of transmission: e-mail.

On infected computers, the Nimda worm runs its own mail service and sends e-mail to addresses in Windows address book as well as to those culled from the machine's browser cache, which stores elements of recently viewed Web pages.

The e-mail appears to have an attached WAV file, but in reality it uses an old MIME (multipurpose Internet mail extensions) vulnerability to automatically run the worm once the e-mail is viewed in the mail client's preview plane.

Even on computers that are not vulnerable to the security flaw, the attachment causes the Outlook and Outlook Express e-mail programs to open a dialog box asking the user for permission to open the file.

If the worm infects a PC through either the Web browser or e-mail, Nimda acts much like it does on servers. In addition, the worm adds a "load.exe" file to the Windows System directory, appends itself to many .exe, .eml and Word document files, and replaces common applications such as WordPad, WinZip32 and HyperTerminal with a copy that executes the worm.

In addition, the worm places copies of "Riched20.dll"--the program that is the workhorse text editor for Word, WordPad and other editing programs--in multiple places on every accessible hard drive. Whenever a program that uses Riched20.dll opens, that also executes the worm.

This ability to spread copies of itself throughout corporate networks by using shared drives is the fourth way the worm infects.

Using the network-sharing mechanism, the Nimda worm spreads fast and makes extermination very difficult, said Vincent Gullotto, director of security software maker Network Associates' antivirus emergency response team.

"While you are cleaning one area of the network, it is coming back behind you and reinfecting the computers," he said.

Network Associates, Symantec and other security companies have tools to help system administrators clean their systems.

Yet even if companies do completely eradicate the worm from their networks, Nimda will be out there for a long time, said Jensenne Roculan, incident analyst for SecurityFocus.com's ARIS Incident Analysis Team. Roculan pointed out that Code Red and its variant still account for some 30,000 infections worldwide.

"Code Red is still going strong because of the number of unpatched systems on the Web," she said. "If that is any indication, Nimda should be around for a while."

Analyses of the Nimda worm can be found at CERT, SecurityFocus.com, Neohapsis and most antivirus companies' Web sites.