Related Resources • Pg 1: Description • Pg 2: Infection Routine • Pg 3: Manual Removal • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Analysis (superb) • Central Command Analysis • Sophos Analysis • FBI Advisory

Last updated 9/19/01, 4:00 p.m. EST: Breaking out simultaneously throughout the world on Sept 18, 2001, a mass-mailing email worm began actively launching a Distributed Denial of Service (DDoS) attack across the Internet. Dubbed W32/Nimda.a@mm by most antivirus vendors (the exception is McAfee who refers to it as W32/Minda@mm) the worm spreads itself via email, taking advantage of security vulnerabilities to automatically execute on the user's system.

The worm spreads with the attachment README.EXE. In unpatched versions of Outlook Express™, the worm will automatically execute the attachment from the preview pane. In unpatched Outlook™, the worm will automatically execute the attachment when the email is opened. In both cases, automatic execution of these attachments can be prevented by properly configured security settings and keeping the mail clients properly patched. The Email Help Center provides instructions for configuring security settings and links to needed patches.

Central Command, one of the original reporters of the worm, noted that "Win32.Nimda.A@mm arrives through e-mail as an attached file (README.EXE), with the body of the mail apparently empty." Central Command noted that the body "actually contains code to use as an exploit which will execute the virus when the user views the message" assuming unpatched versions of Microsoft® Outlook or Outlook Express are being used. Central Command develops AntiVirus Expert virus detection software.

Email is not the only means by which the virus can spread. Again exploiting security vulnerabilities, the virus infects unpatched Microsoft IIS servers. In the process, it activates a guest account with no password and grants the account full administrative rights. The virus then searches for certain files on the web server, overwriting the html code to include malicious javascript. Vistors to an affected website can be, with unpatched systems, forcibly downloaded a copy of the worm which then automatically infects their system. Russ Cooper, Surgeon General of TruSecure Corp and NTBugtraq moderator issued an alert warning, "Numerous people have reported that on IIS servers infected with w32.Nimda.amm, when visitors browse to their website the visitor is offered up README.EML, which in turn downloads README.EXE to the visitor."

The worm does not rely on Outlook or Outlook Express to spread. Keith Peer, CEO of Central Command, advises that Nimda spreads by using "MAPI (Mailing API) functions to read user’s e-mails from where it extracts SMTP (Simple Mail Transfer Protocol) addresses and e-mail addresses." Nimda can also spread over accessible network shares and by the same Unicode Web Traversal exploit used by the Code Blue worm.

Regardless of how the worm reaches the system, when it is installed it copies itself to the system directory with the name load.exe. It then overwrites the dynamic link library file, riched20.dll, used by applications such as WordPad. The worm also activates on subsequent reboots, by modifiying the [boot] section of the system.ini file to include

shell=explorer.exe load.exe -dontrunold

Roger Thompson, Technical Director of Malicious Code Research for TruSecure Corp can be credited with early detection, snaring the worm's activities via his WormCatcher program. Developed to detect intrusions from Code Red and its variants, WormCatcher began sounding alerts across the anti-virus landscape early on the morning of the 18th. Early detection is critical in stopping mass-infection.

Antivirus vendor Sophos nearly instantaneously provided a virus identity update as did Central Command. Filtering programs designed to block all executables will prevent the worm's spread, thus mitigating the DDoS attacks spawned. For Windows desktop users, MailDefense™ prevents the infection and spread of the virus. The Content Filtering section of this site provides several server-based filtering options as well. Additionally, firewalls that monitor and block unauthorized inbound and outbound connection attempts will prevent the worm from spreading. ZoneAlarm and Tiny Personal Firewall are both highly suited for protecting Windows PCs.

The FBI has indicated that there is no data to indicate the DDoS worm has anything to do with last week's terrorist attacks. Roger Thompson noted that while binary code within the worm mentions China, that does not necessarily imply that is the worm's origination, nor does there appear to be a connection to the Israeli defense contractor, NIMDA. (It should be noted that Nimda is also Admin spelled backwards).