Download Index

In-Depth Reviews

Tips & Tutorials

Updates

News

Browsers

Chat / Conferencing

Desktop Utilities

Development

Internet Apps

Multimedia

OS Service Packs

Productivity Tools

Download of the day • Internet Explorer 8

Most Popular Software Downloads • Opera • Internet Explorer 7 • QuickTime for Windows • Winamp • Mozilla Firefox 3 • Ad-Aware 2008 Free • Adobe Flash Player • Paint Shop Pro • Adobe Shockwave Player • AVG Anti-Virus Free • 7-Zip Most Popular Software Articles • Windows Vista Tips & Tricks, Part 1 • Windows Vista: Worthy of the Hype? • Windows Wireless Zero Configuration: Five Steps to Sanity

Handling Nimda
How Nimda Works
D. E. Levine

Although there's no evidence that Nimda actually destroys data, the major problem is that it is a very aggressive worm that generates a large volume of Internet and network activity that winds up clogging both and slowing them down. Nimda can spread in four different major ways.

Perhaps the most common way that Nimda can be spread is through e-mail. An infected message can have any kind of return address. Generally the subject is nonsensical or looks like it's in another language. (If you're not familiar with other languages you won't want the message anyway.) The body of the message usually lacks any text while an attachment will appear to be a WAV or readme.exe file. The reason that Nimda is particularly nasty is that you needn't open the message in order to activate the worm. Generally just by looking at the information in the preview pane will activate Nimda. The worm will then send e-mail to every address listed in the address book and in the browser cache.

A second way that a PC or server can get infected is by viewing and infected Web page on the Internet. When the page is infected it's generally "rigged" to ask the viewer if they want to download and Outlook Express e-mail (. eml) file. When that file is downloaded it infects the machine. With this infection, as well as the infection through e-mail, the worm appends itself to Word document files, .exe files, and .eml files. In some cases it will replace applications with copies that execute the worm and the worm always executes if a program uses Richard20.dll.

The third method of infection is by exploiting a previous system compromise. If a system running IIS software has already been compromised by either the Code Red or Code Red II worms, Nimda copies itself as an "admin.dll" file. For those IIS systems that haven't been compromised, the worm attempts to use the previously discovered "Web server folder traversal" vulnerability in order to copy the admin.dll file to the server.

Finally, the fourth major method of infection is by using shared drives on corporate networks. Network sharing allows the Nimda worm to spread very quickly, and because of its nature, to be especially pervasive in reappearing and infecting systems.

Next: Tips for Dealing with Nimda »

« Previous Page

| Next Page »

Contents:
1. Explaining Nimda
2. How Nimda Works
3. Tips for Dealing with Nimda