7 minute read

Nimda is a computer worm. It spread quickly, surpassing the economic damage caused by previous outbreaks such as Code Red.

The first advisory about this worm was released on September 18, 2001.

Due to It’s release date, exactly one week after the attacks on the World Trade Center and Pentagon, the media toy with the idea tha a link between the virus and Al Qaeda existed, though this theory ended up being proved unfounded.

Nimda affected both user workstations running Windows 95, 98, NT, 2000 or XP and servers running Windows NT and 2000.

The worm’s name comes from the reversed spelling of “admin”.

F-Secure found the text “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China” in it’s code, suggesting china as its origin.

Transmission

Nimda worm has five different methods of transferring itself to different computers and networks. It also has the ability to infect files.

Infected Website

Nimda can arrive on a computer from visiting an infected website. An infected website will contain JavaScript code that causes the browser to download the README.EML file containing the worm:

The README.EML file will open in a minimimized window if the user uses Explorer 5.5 with Service Pack 1 or earlier. It may not be able to infect Windows NT and 2000 in this way.

Email

The worm may also come from an email attachment named README.EXE. The subject and message body are usually empty, though the subject may sometimes be random. The message has two sections, one has the MIME type text/html, which is blank, and the other has the type audio/x-wav. The audio/x-wav section is actually a binary executable, the README.EXE attachment. It may be able to run itself from the preview pane with no intervention from the user, as the worm exploits a vulnerability that exists in Explorer 5.5 with Service Pack 1 or earlier when Explorer is used to render html mail.

Local Network

If the user’s computer is on a local network where another computer has been infected with the worm, it will arrive as RICHED20.DLL in any folder with a .doc or .eml file. These files will be hidden.

Server

The worm may also be transmitted from one computer to another one running a Microsoft IIS 4.0 / 5.0 server either by a exploiting a directory traversal vulnerability in the server or by using backdoors left by CodeRed.II. It arrives and is copied to the server’s “scripts” directory as “ADMIN.DLL”.

File Infection

In a manner similar to a virus, it can also infect files. Its file infection method is unique, as it does not place itself inside of the file it infects. Instead, the worm copies itself as the name of the executable it is infecting and “assimilates” the original into itself as a resource. When the user executes this program, the worm runs first, then the program the user intended to run is extracted and run.

Nimda can infect files over networks. Because of its file infection ability, it is possible to transmit the worm by moving a stand-alone executable program through a floppy or flash disk. In most cases it avoids infecting the WINZIP32.EXE file. It will not infect files when run from a file other than ADMIN.DLL. Infection

The worm will behave in certain ways depending on where it is executed and what commands are used. It can also infect files on the computer and over the network it is executed on.

From ADMIN.DLL

When Nimda is executed on a webserver as the file ADMIN.DLL, it copies itself to the windows folder as MMC.EXE. MMC.EXE, before Nimda infection, is a legitimate file, the main executable of the Microsoft Management Console, but it is usually either infected or completely overwritten. The MMC.EXE file is executed with the command line argument “-qusery9bnow”. It creates a mutex named “fsdhqherwqi2001”.

The worm scans for .exe files on available drives, and infects them. Nimda reads the Local machine App Paths registry key and infects all files listed in that key. In addition, it will read the Local machine Shell Folders key and attempts to infect all files in the folders listed in this key.

From README.EXE

If Nimda starts from the file README.EXE or any file with more than 5 characters in its name with a .exe extension, it copies itself to a temporary folder with a mostly random name beginning with MEP or MA and ending with .TMP, sometimes with .exe as the final extension. The file will be run with a “-dontrunold” commandline argument.

Behaviour

Nimda loads itself as a .dll file, looks for a specific resource there and checks its size. If the resource size is less than 100 the worm unloads itself. If the resource size is 100 or greater, the worm extracts the resource file and runs it. Checking the resource size is done to be able to detect if a worm runs from infected EXE files.

The worm checks the system clock and generates a random number. After crunching the numbers a few times, it checks the result, which will be between 1 and 100. If the result is larger than 80, it will delete any file in the temporary folder that begins with README and ends with .EXE.

The worm extracts its MIME message to a temporary folder under a random filename.

Nimda assigns its process as a thread of the EXPLORER process, although this may not work on some systems. This will keep the worm running even when a different user is logged onto the machine. It creates a mutex named “fsdhqherwqi2001”. The worm starts Winsock services and gets information on its host, then sleeps for some time.

When Nimda restarts itself, it checks what version of Windows it is running on. If it is on Windows NT, or any version based on that system, it compacts its memory blocks to occupy less space and copies itself as LOAD.EXE and RICHED20.DLL to the system folder. It modifies the file SYSTEM.INI file, adding the string explorer.exe load.exe -dontrunold. This will cause LOAD.EXE to run when the computer starts. The worm looks for shared network resources and scans files on remote systems. From Any Filename

The worm places .eml and .nws files with copies of itself in nearly all folders it accesses, usually named README, but sometimes also DESKTOP. It will use a .eml extension approximately 95% of the time. It places a hidden file named RICHED20.DLL in all folders where it finds .doc or .eml files. It also tries to replace the legitimate RICHED20.DLL (this file is a shared library for rich text editing used by Microsoft Word and Outlook) with its own copy. This ensures that Nimda will be run when a .doc or .eml file is opened. It will also copy itself to the drives C, D and E (at the root of the drives, not in any folder).

The worm creates an account named “guest” and adds it to the administrator group with administrative privileges. This account requires no password. It turns any drive from C to Z into open network shares by adding the values C$ through Z$ to the LanMan registry key. It also disables sharing security by deleting all subkeys from the Shares Security registry key. The worm disables the proxy by modifying two different versions of the ProxyEnable registry key (one under current user and the other under current config) with the value “0” as well as one of the MigrateProxy key with the value “1”. Spreading

The worm searches the Temporary Internet Files folder for .htm and .html files and scans them for email addresses. It also collects email addresses from emails it finds in the address book and inbox. The wom may send itself with a blank or random Subject line. If it chooses to use a subject line, it will choose one from a text string in a file listed under the current user’s personal shell folders registry key. It sends itself using its own SMTP engine.

The worm scans IP addresses for IIS servers that have backdoors left by CodeRed.II. There is a 25% possibility that the IP address it chooses will be completely random. There is also a 25% possibility that the first octet of the address will be the same as that of the current computer, and the rest will be random. There is a 50% possibility that the first two octets of the address will be the same as that of the current computer. When it finds one, it sends a copy of itself via TFTP as TFTP # . This file name is changed to ADMIN.DLL and it executes this copy on the new machine.

On servers, Nimda searches for .htm, .html and .asp webpage files on local hard drives, then creates and places the file README.EML in the directories where such files are found. README.EML is an email file containing a MIME-encoded copy of the worm. The worm adds the three lines of JavaScript code that will cause the browser of a computer reading the webpage to open the README.EML file.

The worm creates around 200 threads, which search for network shares. It copies RICHED20.DLL to any folder on the network with a .doc or .eml file.