Nimda

To briefly summarize what Nimda does:

• It probes each IP address within a randomly-selected range of IP addresses, attempting to exploit weaknesses that, unless already patched, are known to exist in computers with Microsoft's Internet Information Server. A system with an exposed IIS Web server will read a Web page containing an embedded JavaScript that automatically executes, causing the same JavaScript code to propagate to all Web pages on that server.
• As people (those with Microsoft Internet Explorer browsers at the 5.01 or earlier level) visit sites at the infected Web server, they unwittingly download pages with the JavaScript that automatically executes, causing the virus to be sent to other computers on the Internet in a somewhat random fashion.
• Nimda also can infect users within the Web server's own internal network that have been given a network share (a portion of file space).
• Finally, one of the things that Nimda has an infected system do is to send an e-mail with a "readme.exe" attachment to the addresses in the local Windows address book. A user who opens or previews this attachment (which is a Web page with the JavaScript) propagates the virus further.

To summarize preventive action:

• Server adminstrators should get and apply the cumulative IIS patch that Microsoft has provided for previous viruses and ensure that no one at the server opens e-mail.
• PC users should never open a "readme.exe" attachment sent by e-mail. They should also update their Internet Explorer version to IE 5.5 SP2 or IE 6.0.

To summarize corrective action (if your server is infected):

• Here we quote TruSecure's Surgeon General Russ Cooper: "If you need to keep it up and running, disconnect it from infection vectors, restore it from tape or reformat and install fresh, then patch it. Restore the data (even if it's infected), run the currently available cleanser, and scan it again with your anti-virus software product. If it passes, reconnect it to the Net and carry on."
• More ideally, Cooper believes that the server should remain down until a comprehensive cleanser arrives within a few days from one of the anti-virus software vendors such as McAfee or Symantec. He recommends using more than one cleanser to be on the safe side.

To summarize corrective action (for end users):

• Scan and cleanse your system with anti-virus software.
• Download the Internet Explorer upgrade.

For details on how the virus behaves and more information about corrective and preventive actions, consult any of the major anti-virus software vendor sites.

Read more about Nimda: - The official advisory from CERT offers details. - SearchSecurity.com provides an interview with Jim Reavis, a security expert. - In "Nimda moving fast, slams brakes on Net," Michael Mimoso interviews TruSecure's Surgeon General Russ Cooper.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT New defenses for automated SQL injection attacks By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites. The old defenses... Information security book excerpts and reviews Visit the Information Security Bookshelf for book reviews and free chapter downloads. Yahoo, McAfee to warn users of dangerous websites Websites suspected of spreading malicious programs or spamming and phishing campaigns will be highlighted in search results.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) A bot worm is a self-replicating malware program that resides in current memory, turns infected computers into zombies (or bots) and transmits itself... directory traversal  (SearchSecurity.com) Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the...