Information on the "Nimda" Worm
(Courtesy of Microsoft)


Summary: A new worm, officially called W32/Nimda@MM, is circulating on the Internet and affecting large numbers of customers using Windows operating systems. Microsoft is working with the anti-virus community and other security experts to thoroughly investigate the worm. If you haven't already installed the appropriate updates and/or patches, your computer can become infected.

Actions You Should Take


End Users

1. Prevent infection from email or infected Web sites by updating Internet Explorer as detailed below in the section titled "Email".

2. Prevent infection via file shares by ensuring that you have no unprotected file shares, as discussed below in the section titled "File Shares".

System Administrators

1. Ensure that all workstations on your network are protected against infection from email or infected Web sites by installing any of the updates listed in the section below titled "Email".

2. Protect Web servers by taking two steps:

3. Prevent spread through file shares by ensuring that your workstations and servers have no unprotected file shares, as discussed below in the section titled "File Shares".

Additional Information

The official name of the worm is W32/Nimda@MM, but it is generally referred to as the "Nimda" worm. It attempts to spread via three different means:

Email

The worm spreads via email by sending a copy of itself within a mail that exploits the security vulnerability discussed in Microsoft Security Bulletin MS01-020. As the bulletin describes, the vulnerability lies in Internet Explorer, but can be exploited via email. Simply opening the email itself would be sufficient to infect the machine it would not be necessary to open an attachment.

Anti-virus vendors are currently developing updated scanning tools that will detect and disarm mails sent by the virus. But even in the absence of these tools, patches and updated versions of IE have been available for some time to eliminate the vulnerability. Customers who have installed any of the following updates would be at no risk of infection by email:

Web Servers

When the worm attacks IIS 4.0 and 5.0 Web servers, it does so through either of two means. First, it checks to see if the computer was previously compromised by the Code Red II worm, which creates a "back door" that any malicious user can use later to gain control of the system. If the Nimda worm finds such a computer, it simply uses the back door created by Code Red II to infect the system. Second, the worm attempts to exploit the "Web Server Folder Traversal" vulnerability. If it succeeds in exploiting this vulnerability, the worm uses it to infect the system.

A tool is available to remove the back door created by the Code Red II worm. However, the best course of action is to prevent the Code Red II worm altogether, by taking any of the following steps:

The "Web Server Folder Traversal" vulnerability can be blocked by taking any of the following actions:

Once a server is infected, it attempts to pass the infection to any machines that visit the web sites it hosts. Like the email vector, it does this using the vulnerability discussed in Microsoft Security Bulletin MS01-020. Customers who have taken any of the steps discussed in the section titled "Email" are fully protected against the web-borne vector as well.

File shares

The final means by which the worm tries to spread is through file shares. Windows systems can be configured to allow other users to read files from them or write files to them. By default, Windows systems only allow the authorized user of the system to access the files on it. However, if the worm finds a system that has been configured to allow other users to create files on it, it adds files that spread the infection.

To protect against infection via this vector, minimize the number of users who can access your file system. If you have file shares you do not need, remove them. For any remaining ones, ensure that you've given other users as few privileges as possible. Finally, if you're using Windows NT 4.0 or Windows 2000, make sure that you have a strong password for the Administrator account if you leave it blank, you've essentially given the world the ability to add files to your system. The Microsoft Personal Security Advisor (available for Windows NT 4.0 and Windows 2000) can help ensure that your system is securely configured.

Get and Stay Secure: The Microsoft Strategic Technology Protection Program

Computer security over the Internet is a worldwide concern fundamental to the way we live and do business. To help ensure this security, Microsoft is mobilizing its people and resources in the Microsoft Strategic Technology Protection Program (STPP) - that integrates products, services, and support. This program's first offering is the Microsoft Security Tool Kit CD, which includes best practice guides, information on securing your system, and service packs and patches that can help ensure your system is protected against attacks.