What is Nimda Virus
Nimda hit the Internet in 2001 spread quickly, becoming the quickest propagating computer virus at that time.
The Nimda worm's essential targets were Internet servers. While it could infect a home PC, its real intention was to bring Internet traffic to a creep. It could travel through the Internet using various methods, including email. This helped spread the virus across various servers in record time.
The Nimda worm made a backdoor into the victim's operating system. It permitted the individual behind the attack to access the indistinguishable degree of functions from whatever account was logged into the machine at present. In other words, if a user with restricted privileges actuated the worm on a computer, the attacker would likewise have constrained access to the computer's functions. Then again, if the victim was the administrator for the machine, the attacker would have full control.
The spread of the Nimda virus made some network systems crash as a greater amount of the system's assets became grub for the worm. Basically, the Nimda worm turned into a distributed denial of service (DDoS) attack.
How Nimda Works
In spite of the fact that Nimda—otherwise called Readme.exe, W32/Nimda worm, and the Idea Virus (CV) v.5—attacks through similar IIS vulnerabilities that the Code Red worm utilized, it really spreads through a completely extraordinary component and can infect both workstations and servers running any adaptation of Windows from Win95 on up.
According to CERT CA-2001-26, Nimda can spread in a few different ways:
- Client to client via e-mail
- Client to client via open network shares
- From Web server to client via browsing of compromised Web sites
- From client to Web server via active scanning for and exploitation of the "Microsoft IIS 4.0/5.0 directory traversal" vulnerability (VU #111677)
- From client to Web server via scanning for the back doors left behind by the Code Red II (IN-2001-09), and sadmind/IIS (CA-2001-11) worms
Fortunately, Nimda itself doesn't contain a ruinous payload past alteration of Web substance to continue to propagate itself.
Nimda appears to spread mainly through a two-section Emulate encoded email connection. One section purports to be a text file however doesn't contain any text. The subsequent part is set apart as Emulate sound/x-wav yet is a binary executable named Readme.exe. It executes on account of a defenselessness (CERT CA-2001-06) that causes any email software running IE 5.5 or prior to run the payload automatically in light of the false Emulate type identification.
The headline of the email changes, yet the length of the file connected is (up until now) a consistent 57,344 bytes.
The payload endeavors to find server indirect accesses left by Code Red and likewise attempts to send duplicates of itself to all addresses in the Windows address book of the infected machine.
Assessing the Harm
Risk—High, with the important note that on the off chance that you have been patching IIS intermittently, this worm can't infiltrate your servers.
Impact—Denial of service occasions may happen in view of the volume of email traffic triggered by this worm, however, it doesn't appear to target explicit systems with a DoS attack. On the off chance that it finds indirect access left by before attacks and not yet locked, this worm can let attackers run any self-assertive code on servers.
The payload alters any files it situates with .htm, .html, and .asp expansions (Web content files), and then, if browsers that automatically execute these files access the infected server, those systems become infected.
The worm additionally duplicates itself (renamed as README.EML) to all compose empowered directories.
How to Prevent It?
Each significant antivirus company has updated software that can identify and evacuate Nimda. Alongside you should the following preventing measures
- Block e-mails containing a "readme.exe" attachment.
- Update virus definitions and ensure that firewalls are correctly configured.
- Download the latest security updates for Enterprise Security Manager and NetRecon.
- Install the IIS Unicode Transversal security patch.
- Install the malformed MIME header execution security patch.
- Close network share drives.
No comments:
Post a Comment