The following has been derived from information provided by incidents.org, Kaspersky Labs, Network Associates and Symantec.

Virus Characteristics

W32/Nimda@MM is an internet worm which uses one of the following methods to propagate:

- Using one of many Internet Information Server vulnerabilities
- Sending Email to addresses in the Windows Address Book and cached web pages
- Using a defaced web page to force download and execution of the worm on clients
- "Infecting" shared files through open network shares

The worm can arrive in an email which has the following characteristics:

From: <may be spoofed>
Subject: <random>
Body: <blank but includes hidden script to execute the worm using a known MIME vulnerability>
Attachment: README.EXE

Upon execution, the worm copies itself to SYSTEM directory as LOAD.EXE. It replaces the RICHED20.DLL file with itself. It modifies the SYSTEM.INI file to load itself at startup by appending "load.exe -dontrunold" to the SHELL=EXPLORER.EXE entry. It will also attach a thread to EXPLORER.EXE to run its viral code.

The worm will search for open network shares and will attempt to "infect" shared files by renaming the original so that the extension has an extra space and ends with .EXE. It then copies itself in the original file's place, with the name of the original file. Upon execution of the trojanized file, the worm will execute then launch the renamed file to avoid detection.

It will also place a MIME encoded version of itself in each folder on the local drives, which can be named README.EML, or have another filename with the .EML or .NWS extensions.

Using the Unicode Web Traversal exploit, the worm attempts to upload and remotely execute a file named ADMIN.DLL to vulnerable IIS servers. A patch for this vulnerability is available from Microsoft at the following address:

http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

The worm will search for .HTM, .HTML, and .ASP files and modify these so that a copy of the worm is downloaded by the web browser of unsuspecting users visiting the site. The file is an Outlook Express email file (.EML) which contains the worm as an attachment, and uses a known Internet Explorer MIME vulnerability to infect the client machine.


Payload

This threat can cause significant network traffic, damage to the file system, and can cause a denial of service.
- The worm sends itself via email, which can cause increased email traffic.
- The worm scans for vulnerable IIS servers to infect, causing increased HTTP activity
- It replaces multiple file types with itself
- Compromises security by sharing all local drives at the root without any restrictions
- Compromises security by enabling the Guest account on WindowsNT/2000 systems
- Defaces web server default pages
- Disables the Internet Explorer proxy server settings


Preventative Measures

Block the following filenames at the internet gateway where possible(SMTP,HTTP):

README.EML (HTTP)
README.EXE (SMTP)

Download and apply the following patches for Microsoft IIS servers from the following location:

http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

Download and apply the following patch for unpatched Internet Explorer 5.01 and 5.5 versions from the following location:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp


Fixes Available

AVP: Detection included in current definitions (Sep 18, 2001)
Network Associates: 4159 DATs (Sep 18,2001) with engine 4.0.70 or later
Symantec: Detected using current Certified Defs (Sep 18, 2001)
Trend: Detected with Pattern file #941 (Sep 18, 2001)


Removal Tools

Central Command (AVP):
http://www.centralcommand.com/toolsregister.html
Network Associates:
http://download.nai.com/products/mcafee-avert/NimdaScn.zip
Trend Micro:
http://www.antivirus.com/vinfo/security/fix_nimda1.zip


Further Info

CERT:
http://www.cert.org/advisories/CA-2001-26.html
F-Secure Corp:
http://www.datafellows.com/v-descs/nimda.shtml
Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
Network Associates:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
SANS Emergency Incident Handler:
http://www.incidents.org/react/nimda.php
Sophos:
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Symantec:
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Trend Micro:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A