New Worm Spreading Fast

The FBI and CERT warn that a new virus, called Nimda, is spreading and could proliferate as widely as Code Red. The virus can spread like a worm or as an e-mail attachment, and could be distributed around networks even if the attachment is not opened.

by Thor Olavsrud of internetnews.com [September 19, 2001]

The Federal Bureau of Investigation and private sector security experts Tuesday warned of a sophisticated new virus dubbed Nimda, which spreads both as a worm exploiting the same vulnerabilities used by the recent Code Red and sadmind/IIS worms, and as an e-mail virus. Experts said the worm could proliferate as widely as Code Red.

The Computer Emergency Response Team Coordination Center (CERT/CC), based at Carnegie-Mellon University, said "User machines that are infected by this virus might see an increase in scanning as the virus tries to compromise IIS servers. Many sites are experiencing high loads of e-mail and network traffic as a result of this activity."

London-based GFI Security Labs said Tuesday afternoon that Nimda replicates quickly and has the ability to spread through e-mail clients even if recipients don't open the attachment, ReadMe.exe, which comes with infected e-mails.

GFI said Nimda can run without user intervention by using an exploit in Microsoft Outlook reported in a Microsoft Security Bulletin on March 29, 2001. The user simply reads the e-mail and the attachment executes. If the recipient's e-mail client has been patched, a pop up dialog window appears, inviting the recipient to execute the attachment.

"Anyone responsible for users' computers (both home users and corporate users) should be sure that the latest version of anti-virus definitions are installed," CERT said. "Users should exercise extrem caution in handling e-mail attachments."

LAN wary
Nimda also seeks out and infects vulnerable Microsoft IIS servers and defaces Web sites using the software. In addition, Medina, Ohio-based Central Command Inc. warned, "This worm also spreads through a local area network. The virus activates the user guest with no password and adds itself to the Administrator group. Also it creates a share for C:\ with all access rights." GFI added that, potentially, any user vulnerable to the exploit that visits an infected site may become infected simply by visiting the defaced site.

When the worm executes, it copies itself in the system directory with the name load.exe. It also copies over the library file riched20.dll and modifies itself to be loaded as a Dynamically Linked Library (DLL). The worm also modifies system.ini in the boot section with the line "shell=explorer.exe load.exe -dontrunold" in order to activate itself at every reboot.

Central Command said the worm uses MAPI functions to read users' e-mails, and extracts SMTP addresses and e-mail addresses in order to spread itself.

"Although it has not yet reached the severity of Code Red, F-Secure believes that it's quite possible that Nimda will reach Code Red's level of proliferation," said Finnish security company F-Secure Corp. F-Secure has classified Nimda a Level 1 Security Alert, its most severe threat classification.

Robust reproduction capability
Nimda sends itself out with a random subject line and no message text. GFI said that because of its highly replicative nature, Nimda can clog mail servers.

"The Nimda virus has taken e-mail threats one step further in its use of complex replication mechanisms and the fact that it is transmitted in a multitude of ways," said David Vella, product manager for GFI. "It appears to be a concept virus and it has worked successfully. This suggests that Nimda variants and other similar e-mail viruses are on their way and could possibly make use of new exploits. E-mail security at server level is an absolute must to block this new threat."

CERT recommended that infected machines be removed from networks for recovery, and said system administrators should follow the steps listed in "Steps for Recovering from a UNIX or NT System Compromise." CERT also warned that Web server content may be altered on compromised Web servers and Web content should be verified for integrity.

—End