Federal authorities have described a new Internet-based worm that targets Windows-based machines through email and Web servers as more disruptive than this summer's Code Red worm. The worm, dubbed Nimda (admin spelled backwards), probably originated in China and is unique because it attacks several known flaws in various versions of Windows. Users can get the worm from visiting tainted Web sites where they are prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment called readme.exe. They can also get the worm as an email attachment through Outlook or Outlook Express. Security experts say the worm doesn't delete any data, but it's hard to remove, easy to spread, and can be used in Denial of Service (DoS) attacks.
"There are about 300 million \[Windows machines\] that could participate in this \[attack\]," says NT Bugtraq's Russ Cooper. The worm affects all modern versions of Windows, including Windows 2000, Windows NT 4.0, Windows Me, and Windows 9x.
According to the Computer Emergency Response Team (CERT), the worm uses several methods to spread. The worm spreads from client to client through email, from client to client through open network shares, from Web servers to clients that browse compromised Web sites, from clients to Web servers through active scanning for and exploitation of the "Microsoft IIS 4.0/5.0 directory traversal" vulnerability, and from clients to Web servers through scanning for back doors that the Code Red II and sadmind/IIS worms left behind.
People who use Microsoft's IIS Web servers are protected from this worm if they apply the patch used to stop Code Red. Outlook 2002 correctly identifies Nimda attachments as malicious and sends a warning to that effect. However, older versions of Outlook and Outlook Express are vulnerable because the attachment might be able to run without the user opening the attachment. This ability makes the worm particularly dangerous.
If you're running IIS, you should download and install Microsoft's latest cumulative security patch, which can prevent this attack from succeeding.
End users should consider using up-to-date antivirus software, of course. If you're running Outlook 2002 or newer versions of IE (5.01, 5.5 and newer), however, you should be protected. If you're running an older version of IE, please download the "Automatic Execution of Embedded MIME Types" vulnerability patch.
For more information, please visit the CERT Coordination Center.