News

New Mass-Mailing Worm in the Wild

• By Stephen Swoyer
• 09/18/2001

Some industry watchers suggest that the new worm, called Nimda could wreak more havoc than the notorious Code Red worm, which – in at least two variants – crippled Windows 2000 systems throughout July and August.

Russ Cooper, editor of the Windows NT Bugtraq Mailing List and “surgeon general” of security firm TruSecure Corp., says that Nimda is capable of exploiting vulnerabilities in Microsoft’s Windows 9x, Windows Millennium, Windows NT and Windows 2000 operating systems.

“The last figures were about 300 million [Windows] clients and servers that could participate in this,” he says.

Most users will likely receive the worm as an attachment – named either Readme.exe or Readme.eml – sent in tandem with an e-mail message that features an ostensibly empty or missing message body. According to antivirus vendor Central Command, this e-mail message actually contains code which can launch the worm when a user views it.

Because the e-mail message contains a malformed header which dupes Windows into treating it as a .WAV file, experts say, it can even circumvent Outlook security restrictions which prohibit the execution of attached .exe and other files.

According to officials from Central Command, Nimda propagates itself by means of several different payload delivery mechanisms. First of all, it uses Microsoft’s Mailing Application Programming Interface (MAPI) to extract SMTP addresses from a compromised user’s e-mail and attempts to mail itself to these addresses.

Secondly, Nimda can spread itself to Windows NT 4.0 and Windows 2000 Server systems running Microsoft’s IIS Web server platform by means of the Unicode Web Traversal exploit that was exploited by the Code Blue worm of early September. Microsoft originally made a patch available for this exploit last year.

Finally, Nimba can activate the “Guest” user account on Windows NT 4.0 and Windows 2000 systems and will attempt to add itself to the “Administrator” group. The worm will create a network share on the root drive and invest it at the same time will full access privileges.

Once the worm has successfully compromised a system, experts say, it begins to scan its local network subnet for other systems to infect.

According to Cooper, Nimda represents a level of sophistication that we haven’t yet seen in attack worms.

“I think that we’ve all sort of suggested that we’re going to see increased sophistication in attacks, and this is just one indication of that increased sophistication -- combining the methods [of payload delivery],” he says.

Some industry watchers claim that because it affects a far greater number of vulnerable systems, Nimda could be much bigger than Code Red.

For his part, TruSecure’s Cooper says that administrators in Windows NT 4.0 and Windows 2000 environments who hardened their systems in the aftermath of Code Red and who installed the consolidated IIS patches that Microsoft made available in late August should be protected against Nimda.

“I’ve have had lots of discussions today with people who have been infected, and only one of them has said that they’ve had MS01-044 [the August cumulative hotfix roll-up for IIS] applied to an NT 4.0 box and were still compromised [by Nimda],” Cooper says. “This says to me that chances are that the patches should be effective. Because this was an NT 4.0 system, chances are that [the administrator] made changes and reloaded old files that replaced the files installed with the patch.”

At the same time, Cooper cautions that administrators who removed only their .IDQ and .IDA script mappings in the aftermath of Code Red are still vulnerable. “If all they did was remove the script mapping and they had not patched since last year, for example, which was one of the reasons why they were vulnerable to Code Red in the first place, then they’d be vulnerable to some of the web traversal attacks that this one does try,” he says.