Infection by a Web Server
W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS Web servers. On Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause IIS to navigate to any desired folder on the logical drive that contains the Web folder structure, and then access files in it. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
Successful exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as add, change, or delete files or Web pages on the compromised server. The limitations of the original vulnerability include:
- The server configuration. The vulnerability only allows files to be accessed if they reside on the same logical drive as the Web folders.
For example, if a Web administrator had configured the server so that the operating system files were installed on the C drive and the Web folders were installed on the D drive, the attacker would be unable to use the vulnerability to access the operating system files.
- The attacker must be logged onto the server interactively.
- The gained privileges would be only those of a locally logged-on user. The vulnerability would only allow the malicious user to take actions in the context of the IUSR_machinename account.
However, by using the W32.Nimda.A@mm worm as a delivery mechanism, the attacker can remotely compromise a vulnerable IIS server, and once compromised, create a local account on the targeted server with administrator privileges, regardless of the drive on which the IIS server is installed.
The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also attempts to use the IIS servers that CodeRed II
had previously compromised
to propagate and to access root.exe from the inetpub/scripts directory.
If Norton AntiVirus RealTime protection detects files such as "TFTP34%4.txt" as being infected with W32.Nimda.A@mm in your inetpub/scripts folder, you may have been previously exposed to CodeRed II. We recommend that you download and execute the CodeRed removal tool
to make sure that your system has been cleaned of the CodeRed II threat.
The worm searches for Web servers using randomly generated IP addresses. Using the Unicode Web Traversal exploit, the worm copies itself to the Web server as admin.dll via TFTP. Infected machines create a listening TFTP server (port 69/UDP) to transfer the copy of the worm.
Then, this file is executed on the Web server and copied to multiple locations. In addition to this exploit, the worm attempts to exploit already compromised Web servers using the files root.exe or cmd.exe, which are located in remotely executable Web directories.
Readme.eml is an Outlook Express email file, with the worm as an attachment. The email messages use the MIME exploit. Thus, a computer may be infected by browsing the infected Web page.
When executed, the worm determines where it is being executed from. The worm overwrites Mmc.exe in the \Windows folder, or creates a copy of itself in the Windows Temporary folder.
Then, the worm infects executables, creates itself as .eml and .nws files, and copies itself as Riched20.dll in folders that contain .doc files on the local drive. The worm searches for files in the paths listed in the registry keys:
The worm hooks the system by modifying the System.ini file as follows:
Shell = explorer.exe load.exe -dontrunold
The worm also replaces the file, Riched20.dll, which is a legitimate Windows .dll file that programs, such as Microsoft Word, use. By replacing this file, the worm is executed each time programs (such as Microsoft Word) are executed.
The worm also registers itself as a service process or adds itself as a remote thread to the Explorer process. This allows the worm to continue to execute even when a user is not actively logged on.
The worm copies itself as the file, %Windows\System%\load.exe
%Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location.
Next, the worm creates open network shares for all the drives on the computer by modifying the registry key:
CurrentVersion\Network\LanMan\[C$ -> Z$]
A reboot of the computer is required for these settings to take effect.
The worm searches for all the open shares on the network by iterating through Network Neighborhood and by using randomly generated IP addresses. All the files on any open network shares are examined for possible infection. The worm infects all the .exe files except Winzip32.exe.
Next, the .eml and .nws files are copied to the open network shares, and the worm copies itself over as Riched20.dll to any folder that contains .doc files.
The worm changes the Explorer settings to not show Hidden files and known file extensions.
The worm adds the user, Guest, under the groups Guests and Administrators. This gives the guest account Administrative privileges. In addition, the worm actively shares C$ = C:\ No reboot is required.
Nimda contains a mass-mailing routine that is executed every 10 days. The worm begins this routine by first searching for email addresses. The worm searches for email addresses in the .htm and .html files on the local system. The worm also uses MAPI to iterate through all the messages contained in any MAPI-compliant email clients. Any MAPI-supporting email clients may be affected, including Microsoft Outlook and Outlook Express. The worm uses these email address for the To: and the From:
addresses. Thus, mail sent from the infected computer will appear to have been sent by the people whose addresses that Nimda found, not by the person whose computer is infected.
The worm uses its own SMTP server to send email messages using the configured DNS entry to obtain a mail server record (MX record).
When the worm is received by email, the worm uses an old known MIME exploit to auto-execute itself. The worm will be unable to execute using Microsoft Outlook or Outlook Express if the system has been patched against this exploit.
Information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
The worm also attempts to infect .EXE files. First, the worm checks to see whether the file is already infected. If the file is not infected, the worm makes a copy of itself in the Temporary directory. The victim file is embedded inside the copy. This new file is then copied over the victim file, replacing the originally clean file with an infected version. Infected executables will be approximately 57344 bytes larger. When an infected file is executed, the worm will extract the original clean file to a temporary file and execute it along with itself. Thus, one may not notice that their executable has become infected.
During execution, the worm may attempt to delete copies of itself. If the file is in use or locked, the worm will create the file, Wininit.ini, with an entry to delete itself upon reboot.
When infecting files, the worm may create two temporary files in the Windows Temporary folder as:
Both files will be Hidden and have the system attribute set.
Ports that the worm uses are listed below. NOTE
: These are all standard ports.
- TCP 25 (SMTP): Used to send email to targets with addresses taken from the compromised client.
- TCP 69 (TFTP): Opens port 69/udp for the TFTP transfer of admin.dll for the IIS infection. As part of this protocol, it makes outgoing connections to transfer the files.
- TCP 80 (HTTP): Uses this port to target vulnerable IIS servers.
- TCP 137-139, 445 (NETBIOS): Used in the transmission of the worm.
The worm contains bugs and can be resource-intensive. Thus, all the actions may not occur and you may notice system instability.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":