No announcement yet.

ADVICE please: This new NIMBA worm has killed my connectivity

  • Filter
  • Time
  • Show
Clear All
new posts

  • ADVICE please: This new NIMBA worm has killed my connectivity

    PCs, servers hit by virulent worm
    A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data on Tuesday.

    Known as "Nimda" or "readme.exe," the worm spreads by sending infected e-mails, copying itself to computers on the same network, and compromising Web servers using Microsoft's Internet Information Server (IIS) software.

    Apparently, no common antivirus software was able to detect the worm as of Tuesday morning, though several companies are close to producing updated definitions to identify and block the program.

    In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook e-mail software under the program's "medium" security setting.

    "There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations. "It appears that it is doing some kind of exploitation in e-mail."

    For some time Tuesday morning, the worm's double whammy had experts believing that two pieces of code were spreading at the same time.

    The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University issued a warning Tuesday morning about malicious code scanning for vulnerable Web servers and an e-mail worm called Readme.exe.

    "We are recommending to sites that they verify the state of security patches on all IIS servers and e-mail client software," stated the warning.
    Cluley said that the worm exploits an already detected vulnerability in Microsoft Corp.'s Internet Information Server (IIS) Web software running on Windows NT or 2000 machines.

    Patches are available for both the IIS vulnerability and Web browsers at .

    Tool to Remove Obvious Effects of the Code Red II Worm:
    Last edited by theflow; Tue 18 Sep '01, 11:15am.

  • #2
    It's actually called the 'nimda' worm. The best info so far on it I've found is here:

    look for entries like this in your access logs to tell if it's trying to infect your server:
    Code: - - [18/Sep/2001:19:33:27 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT$ - - [18/Sep/2001:19:33:27 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn$ - - [18/Sep/2001:19:33:28 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" $ - - [18/Sep/2001:19:33:28 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" $ - - [18/Sep/2001:19:33:28 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" $ - - [18/Sep/2001:19:33:28 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" $ - - [18/Sep/2001:19:33:28 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-"$ - - [18/Sep/2001:19:33:29 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "$
    My 'nix server is getting at least two hits/minute from this one. the patch has been out for IIS for over a year.
    Last edited by jpetrovs; Tue 18 Sep '01, 4:55pm.
    ParroTalk Forums


    • #3
      To get it, do u have to open the email? And is this only email based, or can you get it from any downloads?


      • #4
        Originally posted by jpetrovs
        It's actually called the 'nimda'
        Thank you for the link... (yeah, i spelled it wrong. it's bacwards for "admin" )

        A friend of mine who has PacBell DSL -- not a webserver -- but a workstation running w98 -- found 50 new & modified files this morning, most corrupted with a script that tries to pop up an alert to read a file called read.eml -- all I know.


        • #5
          Since I can't post in that thread, and I *think* it's the same virus, I'll say Thanks to Kier here.
          Chen Avinadav
          Better to remain silent and be thought a fool than to speak out and remove all doubt.

          גם אני מאוכזב מסיקור תחרות לתור מוטור של NRG הרשת ע"י מעריב


          • #6
            freakysid from sitepointforums posted this php code to log code red and nimda attacks on your linux servers

            PHP Code:
            echo("Code red has tried to attack <font color='red'><b>"); 
            echo `
            cat /usr/local/apache/logs/access_log | grep -c default.ida`; 
            "</b></font> times."); 
            $date date("m-d-y H:i"); 
            " as at $date"); 

            "<p>Nimda has tried to attack <font color='red'><b>"); 
            echo `
            cat /usr/local/apache/logs/access_log | grep -c cmd.exe`; 
            "</b></font> times."); 
            $date date("m-d-y H:i"); 
            " as at $date"); 
            :: Always Back Up Forum Database + Attachments BEFORE upgrading !
            :: Nginx SPDY SSL - World Flags Demo [video results]
            :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ blog summary ]


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.