A new worm, dubbed Nimda (admin spelled backwards), has been spreading rapidly across the Internet affecting both businesses and home computer users. The worm takes advantage of various unpatched software, including Outlook, Microsoft Internet Explorer (IE), and Microsoft IIS, to spread. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Nimda can arrive as an email message with a file attachment named readme.exe. The body of the email message might appear to be blank but actually contains embedded code that causes the worm to active when a user views the message. On activation, the worm copies itself into the system directory as a file called load.exe and overwrites the riched20.dll file, which Wordpad uses. Nimda also modifies the system.ini to cause the load.exe program to run each time a user reboots the system.

Nimda uses Messaging API (MAPI)-based system calls to gather email addresses that the infected system has stored. The worm uses its own SMTP server to send itself to all those addresses. Nimda also enables the Guest account with blank passwords and creates a share on each infected system that exposes the C: drive.

In addition, Nimda uses the same exploit that Sadmind and similar worms used to spread using IIS. When Nimda infects an IIS system, it causes that system to spawn threads that attempt to spread the worm to other IIS Web servers that listen on port 80. But because Nimda doesn't appear to make any attempt to detect the actual Web server software before attempting infection, the worm causes network traffic congestion problems for many non-IIS Web-server operators, and even for Samba users. After infecting IIS, the worm appends JavaScript code to every HTML file on the system, which serves to infect Web users with JavaScript enabled in their browsers.

Most antivirus software vendors as well as Intrusion Detection System (IDS) software vendors have released updates for their products that help prevent infection from Nimda. Independent users have also offered tools to the Internet community to help thwart Nimda. John Thornton, Hackers Digest, released a tool called Worm Watch that listens on port 80 to look for Nimda and any eventual variants of the worm. Daniel Shultz sent us the following  single-line script that will extract the malicious JavaScript Nimda inserts into Web pages, cleaning up all HTM, HTML, and Active Server Pages (ASP) files, including those found in subdirectories. Users should execute this line as a command from a Windows 2000 command prompt:

for /R %f in (*.htm *.html *.asp) do ren "%f" "%~nf.old" & findstr /L /V "readme.eml" "%~pf%~nf.old" >"%f"

Last week, Microsoft released its new URLScan IIS filter, which as it turns out, prevents infection from Nimda. URLScan is flexible and highly configurable, so users can make it reject any request that contains Unicode characters. Because Nimda relies on Unicode characters to infect IIS systems, URLScan prevents infection nicely. The filter is available on the Microsoft Web site.

Microsoft also posted specific information regarding the Nimda worm that details several actions users should take for infected systems. Included in the document is a list of patches (some as much as a year old) and procedures that users should apply to prevent similar problems in the future.