Nimda

Nimda, also known as W32.Nimda.A@mm or readme.exe, is a very serious worm which Symantec rates at Category 4, which is extremely serious, and it spreads to both servers and PCs running Microsoft software.

"Nimda" is similar to "Code Red" however it attacked only servers and through only one security hole, while the new worm can affect any desktop computer or server running Microsoft Windows software, and it tries to wriggle in through 16 known vulnerabilities in Microsoft's Internet Information Services software (IIS) 4 or 5, including the security hole "Code Red II" left in some computers.

It is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, and attempts to copy itself to unpatched Microsoft IIS web servers. The worm does this using the Unicode Web Traversal exploit. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.

Once a server is infected, the worm continues to scan for other vulnerable computers. In addition, the program takes control of the part of Microsoft's IIS software that delivers Web pages, allowing the virus to trump a request for any page--even invalid requests--and instead return a page infected with the virus.

The worm searches for .htm, .html, and .asp files to modify. These files are modified such that a MIME encoded copy of the worm is downloaded by a the Web browser.

In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook e-mail software under the program's "medium" security setting.

Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment.

Also, the worm will create an open network share on the infected computer, allowing access to the system. There is also the possibility that it can be spread by FTP and by IRC.

Symantec Security Response and McAfee websites have the steps necessary for removal of this worm, and if the other Virus Sites don't have them now, I suspect the will have them very soon.

Shavlik Technologies' HFNetChk tool traditionally checks only for Hotfixes. However, due to its data driven architecture the HFNetChk tool can be extended with a new XML file available through NTBugTraq, the resource that experienced network administrators use as the authority on Microsoft security issues, to check for the Nimda virus, and it was released at no charge.

Comprehensive info from The Internet TOURBUS Newsletter:

As if the events of the past week haven't been enough to deal with, there is a new virus/worm called Nimda. Every computer running Microsoft Windows 95, 98, 98SE, ME, NT, or 2000 is vulnerable. Computers running non-Windows operating systems (like Macs and Linux boxes) are *NOT* vulnerable, though.

How is Nimda different from the squillion other viruses out there? Well, if you'll pardon my using an analogy, most viruses try to break into your computer through your front door. Close the front door and the virus ceases to be a threat. Nimda tries to break in through your front door, your living room window, and your chimney. Close the front door and you're still vulnerable.

In other words, you're going to have to do a bit of work to protect your computer from Nimda.

Closing the Front Door

Update your virus definitions. This closes the front door. How do you update your virus definitions? That depends on the antivirus program you use. Norton Antivirus has a "Live Update" button built into the program; click on it, and Norton automatically downloads and installs the latest virus definitions from Net. McAfee VirusScan has a similar update function (go to File --> Update VirusScan). And, of course, *NEVER* double-click on any file, especially an email attachment, regardless of who the file is from, until you first scan that file with your antivirus program. As long as you update your virus definitions weekly and never double- click on attachments without first scanning those attachments, you're pretty well protected from *most* computer viruses.

But not Nimda.

Closing the Living Room Window

Nimda also exploits a well-known hole in the PC version Internet Explorer (other versions, including the Mac version of Internet Explorer, are *NOT* affected by this hole). According to Microsoft,

Internet Explorer does not handle MIME (Multipurpose Internet Mail Extensions) headers in HTML e-mails correctly. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the excecutable on the user's computer. If this occurs, the executable can take any action on the computer that the user can take, including adding, changing, or deleting data, communicating with Web sites, or reformatting the hard drive.

Fortunately, Microsoft patched this hole back in March. And finding, downloading, and installing this patch couldn't be simpler: just run Windows Update and download *ALL* of the critical updates.

There are a couple ways to run Windows Update, but the easiest is to launch Internet Explorer and then go to Tools --> Windows Update. You can also go to Start --> Settings --> Windows Update. Either way will automatically redirect you to Microsoft's Windows Update page at

http://windowsupdate.microsoft.com/default.htm .

On the top left side of the Windows Update page, click on the "Product Updates" link (it is the one with the hand and the red *). A pop-up window will appear, telling you to wait while your computer DOESN'T send any information to Microsoft (well, that's what it says!)

Eventually, you'll see a page that says "Select Software." When Microsoft releases an essential update or patch to close a security hole in Windows, they put it in this page's "Critical Updates" section. Microsoft also puts a bunch of other, non-essential stuff on this page, but you can ignore that. You are here for the Critical Updates.

Select (or click on) EVERYTHING in the "Critical Updates" section -- you need *ALL* of the critical updates -- and then click on the big, gray "Download" arrow in the top right hand corner of the page. Then, just follow the on-screen prompts.

This closes the living room window.

By the way, if you run Windows Updates and don't see any Critical Updates, don't panic. This just means that your version of Internet Explorer has already been patched (and your living room window is already closed). :)

Closing the Chimney

You're still not done. According to our friends at CERT,

You've already taken care of the automatic execution problem in the last step (Microsoft's Critical Update patch closes that hole), but it is still possible that an infected Web page could automatically download a Nimda virus-infected file to your computer. Your computer wouldn't be infected, though. Instead, the virus-infected file would be like a letter bomb; it will just sit there, taking up space, waiting for you to open it.

The folks at CERT recommend disabling JavaScript to avoid this problem, but I have a much more beautiful solution: download and install a "pop-up killer" like WebWasher. Nimda tries to "come down the chimney" through JavaScript pop-up window. Pop-up killers like WebWasher keep this from happening.

In other words, WebWasher closes the chimney.

Originally developed by German electronics giant Siemens, WebWasher is a filter program for PCs, Macs, and Linux boxes running either Netscape Navigator or Microsoft Internet Explorer. Once you install WebWasher on your computer, the program automatically blocks unwanted Web content like banner ads and pop-up windows. Instead of the ads, all you see is white space -- the ads aren't even downloaded! :)

What is most amazing is that WebWasher is free for home and education use. You heard right, folks: IT'S FREE! To download WebWasher, point your Web browser to

http://www.webwasher.com/en/products/wwash/download_license.htm

and click on the "I agree" button. The download process is self- explanatory.

Once you download WebWasher to your hard drive (the file less than 1 Mb in size, so it should download pretty quickly). double-click on the installation file to install the program, and then follow the on- screen instructions to configure both WebWasher and your browser. This sounds complicated, but it is actually rather easy.

That's it! You are now free to surf the Web relatively ad-free. And unlike a lot of other ad filtering programs, WebWasher doesn't change the appearance of most popular Web sites. In fact, some sites -- like Intellicast -- look significantly better without the ads!

As I said earlier, most viruses try to break into your computer through your front door. Close the front door and the virus ceases to be a threat. Nimda tries to break in through your front door, your living room window, and your chimney.

BUT, if you update your virus definitions, never double-click on attachments, download and install the Critical Update patches from Microsoft, and use a pop-up killer like WebWasher, the Nimda virus will become just like Yoko Ono: an annoying thing about which you need not worry.

• Symantec
• McAfee
• ZDNet
• CNN
• Trend Micro
• F-Secure

Previous TCS Virus Alerts:

• Multiple Virus Reports SirCam and Code Red
• AOL Virus Hoax
• SULFNBK Hoax
• Homepage Virus
• NakedWife worm deletes Windows files
• Tennis Star - Anna virus alert
• Navidad
• Pikachu Virus
• Two Threats
• Net Zip Spy
• LIFE_STAGES.TXT
• New Love
• I Love You
• 911 Virus Report
• Denial of Service Attacks
• NewApt
• MiniZip

---

Tulsa Computer Society

Don Singleton, President
djs@ionet.net