1. /
  2. Security Response/
  3. W32.Nimda.A@mm

W32.Nimda.A@mm

Risk Level 2: Low

Discovered:
September 18, 2001
Updated:
February 13, 2007 11:37:18 AM
Also Known As:
W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [Computer Associ
Type:
Worm, Virus
Systems Affected:
Microsoft IIS, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-2000-0884 CVE-2001-0154

NOTE: As of January 15, 2003, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 4 to a Category 2.

Symantec has not seen any significant increase in activity due to the re-activation of the emailing routine after its initial 10-day sleep period.

W32.Nimda.A@mm is a mass-mailing worm that uses multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin."

This worm:
  • Sends itself by email
  • Searches for open network shares
  • Attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers
  • Is a virus infecting both local files and files on remote network shares.

The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1, as well as information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.

When the worm arrives by email, it uses a MIME exploit allowing the threat to be executed by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

If you visit a compromised Web server, you will be prompted to download a .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer Internet Security Zones to prevent this compromise.

Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process, the worm creates the guest account with Administrator privileges.


Virus Definitions
Virus Definitions may be downloaded using LiveUpdate or from the Symantec Security Response Web site.

Symantec Solutions
Symantec offers a host of solutions to defend and protect against W32.Nimda.A@mm. Click here to review Symantec's recommendations on how to address W32.Nimda.A@mm and similar "blended threats."

Information for Macintosh users
Although this worm does not infect Macintosh computers, the worm can be passed through Macintosh email to Windows computers. Also, if you share a network with Windows computers, files could be placed on your hard drive. For additional information, read the document, "Are Macintoshes affected by the Nimda virus?"

Information for Novell users
Novell servers are not directly vulnerable, but a Novell client running under Windows can access the Novell server and execute the file from there (using a login script or other means), which can further spread the virus.

NOTE: Microsoft has released a cumulative roll up for IIS 4.0 on NT 4.0 SP5 and later, as well as all security patches released to date for IIS 5.0. This information can be found at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

Microsoft has provided information regarding this threat at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp.




For information on .enc detections, read the article, What is an .enc detection?


For additional information, read the Microsoft TechNet article, Information on the "Nimda" Worm.


Norton AntiVirus
Norton AntiVirus is the world's most trusted antivirus solution. Now it repairs common virus infections automatically, without interrupting your work. Automatic updating of virus definitions over the Internet is just as easy. Symantec's exclusive Script Blocking technology defends against fast-moving threats by identifying and stopping new script-based viruses such as "ILoveYou" even between virus definition updates. To safeguard your PC and prevent it from spreading viruses to your friends and colleagues, Norton AntiVirus scans and cleans both incoming and outgoing email. And for instant access to the most-needed functions, it integrates into Windows Explorer. If you do not have antivirus software, protect your computer from worms and viruses with Symantec's award-winning Norton AntiVirus.

Norton AntiVirus Corporate Edition
Norton AntiVirus Corporate Edition provides best-of-breed, multi-platform, enterprise-wide virus protection at the desktop and file server tiers. The Digital Immune System, the result of two years collaborative work with IBM®, provides access to intelligent back-end services and exclusive automated response mechanisms. Closed-loop automation is a response feature that analyzes and deploys quality-tested cures faster than viruses can spread. Even in the face of unusually heavy demand during widespread attacks, Symantec's scalable back-end architecture ensures fast delivery of the virus definitions required for complete protection.

Norton AntiVirus for Gateways
Norton AntiVirus for Gateways scans compressed files at the SMTP gateway, automatically detecting viruses in email attachments including a nearly unlimited number of file extensions such as the ZIP, UUENCODE, and MIME formats. Since it also scans and repairs files contained within common compressed file formats, it provides solid defense against writers who often conceal viruses in compressed files. Using integrated proactive AntiVirus functions, administrators can block new and unknown viruses before a cure exists, preventing virus outbreaks from entering the organization.

Norton AntiVirus for Lotus Notes
Norton AntiVirus for Lotus Notes/Domino provides stable, reliable, and award-winning protection for Lotus Notes/Domino databases, including Lotus Domino Release 5. It offers administrators the most comprehensive, automatic protection available against new and existing viruses and keeps databases free from viruses, automatically scanning and repairing file attachments and embedded OLE objects in Notes mail and database documents. Efficient incremental scans minimize impact on network performance. And because administrators don't have to reinstall the scan engine every time a new virus is discovered, it significantly reduces total cost of ownership. Norton AntiVirus is easy to use because all operations are done using the Notes client.

Norton AntiVirus for Microsoft Exchange
Norton AntiVirus 2.5 for Microsoft Exchange automatically detects and removes old and new viruses on Exchange servers, providing the most comprehensive, automatic virus protection available. Using the latest virus scanning APIs from Microsoft, Norton AntiVirus for Microsoft Exchange scans both the email message body and attachments to provide maximum protection while minimizing the impact on network performance. Because administrators do not have to reinstall the scan engine to add new virus definitions, Norton AntiVirus significantly reduces cost of ownership.

Norton Internet Security
Norton Internet Security is the integrated online security suite from Symantec. The Norton Internet Security suite includes Norton AntiVirus, Norton Personal Firewall, Norton Privacy Control and Ad Blocking. The ability to easily update the suite (for the latest virus definitions, firewall rules, etc.) via LiveUpdate ensures that Norton Internet Security continues to provide security to the user's computer from the latest online threats.

Symantec Desktop Firewall
Symantec Desktop Firewall is the easiest to use and least intrusive solution for protecting remote users from hackers and corporate networks from back-door attacks. It deploys rapidly and works in the background, monitoring inbound and outbound communications. Remote installation and compatibility with leading VPNs make it an essential solution for securing remote communications.

Symantec Enterprise Firewall
Symantec Enterprise Firewall and Raptor Firewall will, through proper configuration, analyze HTTP requests and responses to ensure they adhere to the Requests for Comments (RFC) defining Web protocol behavior. This mechanism effectively blocks many common attacks that take advantage of protocol violations. In addition, Symantec Enterprise Firewall/Raptor Firewall version 6.5 or later can be configured to use URL pattern matching on rules to block against quantified threats on specific web server platforms.

Symantec VelociRaptor
VelociRaptor is a single-rack unit high (1RU), plug-and-protect appliance that ensures complete control of information entering and leaving the network. Its advanced data inspection technology filters traffic and integrates application level proxies, network circuit analysis, and packet filtering into the gateway security architecture. To bar access to private networks and confidential information, VelociRaptor applies full-inspection scanning techniques that ensure that data is validated at all seven levels of the protocol stack, including application proxies.

Symantec Enterprise Security Manager (ESM)
Symantec Enterprise Security Manager is a scalable security policy compliance and host-based vulnerability assessment tool. Using this tool you can detect systems that are running IIS server, detect systems that have the web Directory Traversal Vulnerability and can also detect modified files, new files and deleted files through its snapshot technology. It can also detect other modifications in the registry, useful in forensic analysis. If you have not already deployed ESM within your enterprise it is of limited use in recovering from a widespread compromise like W32.Nimda.A@mm. However, it has tremendous strength in mitigating the risk of the next W32.Nimda.A@mm type worm since it enforces best practices, e.g., identifying inadequate patch levels, unneeded services, and weak passwords. Click here to review the Enterprise Security Manager Security Response Policy for Nimda on Windows NT and Windows 2000.

Symantec NetRecon
Symantec NetRecon is a network vulnerability assessment scanner with root cause analysis capabilities. It detects systems that are running Web services, specifically Microsoft IIS and also detect systems that have the web Directory Traversal Vulnerability.

Symantec NetProwler
NetProwler is Symantec's network-based intrusion detection tool that continuously and transparently monitors your network for pattern of misuse or abuse. With Security Update 8 installed, NetProwler will detect the CodeRed worm and variants operating on your network. The NetProwler logs will identify each system compromised by the W32.Nimda.A@mm worm. NetProwler can also assist in forensic analysis by reviewing log entries to provide clues as to which host(s) on the network were first compromised by the worm.

Symantec Intruder Alert
Intruder Alert is a host-based Intrusion detection tool that detects unauthorized and malicious activity, keeping systems, applications, and data secure from misuse and abuse. The FileWatch function in Intruder Alert can monitor and detect mission-critical files for any changes, deletions, or movements that may have resulted from unauthorized access after W32.Nimda.A@mm compromise. In addition, Intruder Alert provides utilities to develop custom rules that can restore the compromised/changed files to their original state. Intruder Alert also monitors a system for suspicious behavior such as rootkit or DDoS agent installation, account creation, or modification. Intruder Alert can centrally manage log file events from across the network to assist in forensic analysis of compromised systems.

Symantec Web Security
Symantec Web Security protects web traffic at the HTTP/FTP gateway with high-performance, one-time scanning for viruses, malicious code, and inappropriate web content. It is the only solution that combines heuristic, context-sensitive analysis with list-based techniques for ensuring maximum protection against known and unknown malware threats and non-business-related web sites.

Antivirus Protection Dates

  • Initial Rapid Release version September 18, 2001
  • Latest Rapid Release version March 5, 2012 revision 036
  • Initial Daily Certified version September 18, 2001
  • Latest Daily Certified version March 6, 2012 revision 003
  • Initial Weekly Certified release date September 18, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver