Nimda: Difference between revisions

Nimda
Nimda
Technical name	Avast: Win32:Nimda; Avira: W32/Nimda.eml; BitDefender: Win32.Nimda.A@mm; ClamAV: W32.Nimda.eml; Eset: Win32/Nimda.A; Grisoft: I-Worm/Nimda; Kaspersky: Net-Worm.Win32.Nimda or I-Worm.Nimda; McAfee: Exploit-MIME.gen.ex; Sophos: W32/Nimda-A; Symantec: W32.Nimda.A@mm
Type	Multi-vector worm
Origin	China (alleged)
Authors	Multiple authors; one serving prison time
Technical details
Platform	Windows 95 – XP
Written in	C++

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Inline

Latest revision as of 08:47, 26 September 2024

The Nimda virus is a malicious file-infecting computer worm.

The first released advisory about this threat (worm) was released on September 18, 2001.

Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000, or XP and servers running Windows NT and 2000.^[3]

The worm's name comes from the reversed spelling of "admin".^[1]

F-Secure found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code, suggesting its country of origin. However, they also noted that a computer in Canada was responsible for an October 11, 2001 release of infected emails alleging to be from Mikko Hyppönen and Data Fellows (F-Secure's previous name).^[4]

Methods of infection

Nimda proved effective partially because it—unlike other infamous malware like Code Red—uses five different infection vectors:

Email
Open network shares
Browsing of compromised web sites
Exploitation of various Internet Information Services (IIS) 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS Server.^[5])
Back doors left behind by the "Code Red II" and "sadmind/IIS" worms.^[6]

References

^ ^a ^b "Ten years on from Nimda". TheRegister.com. September 17, 2011. Retrieved October 27, 2020.
^ "Information about the Network Worm "Nimda"". Kaspersky Lab. Kaspersky.com. September 18, 2001. Archived from the original on August 7, 2016. Retrieved June 4, 2016.
^ "CA-2001-26: Nimda Worm". CERT Coordination Center. Carnegie Mellon University. September 18, 2001. Archived from the original on February 26, 2014.
^ "Net-Worm: W32/Nimda Description". F-Secure Labs. F-secure.com. Retrieved June 4, 2016.
^ "Kurt Seifried - LASG / Introduction to security". Seifried.org. Retrieved June 4, 2016.
^ Chen, Thomas M.; Robert, Jean-Marc (2004). "The Evolution of Viruses and Worms". In Chen, William W.S (ed.). Statistical Methods in Computer Security. doi:10.1201/9781420030884. ISBN 9780429131615.

External links

[Nimdadmin-1] "Ten years on from Nimda". TheRegister.com. September 17, 2011. Retrieved October 27, 2020.

[2] "Information about the Network Worm "Nimda"". Kaspersky Lab. Kaspersky.com. September 18, 2001. Archived from the original on August 7, 2016. Retrieved June 4, 2016.

[cert-3] "CA-2001-26: Nimda Worm". CERT Coordination Center. Carnegie Mellon University. September 18, 2001. Archived from the original on February 26, 2014.

[4] "Net-Worm: W32/Nimda Description". F-Secure Labs. F-secure.com. Retrieved June 4, 2016.

[5] "Kurt Seifried - LASG / Introduction to security". Seifried.org. Retrieved June 4, 2016.

[6] Chen, Thomas M.; Robert, Jean-Marc (2004). "The Evolution of Viruses and Worms". In Chen, William W.S (ed.). Statistical Methods in Computer Security. doi:10.1201/9781420030884. ISBN 9780429131615.

[1]

[2]

[3]

[4]

[5]

[6]

@@ Line 11: / Line 11: @@
 | IsolationDate  =
 | Origin         = [[China]] (alleged)
-| Author         = Multiple authors; one serving prison time <ref>{{cite web|url=https://www.theregister.com/2011/09/17/nimda_anniversary/|title=Ten years on from Nimda|publisher=TheRegister.com|access-date=October 27, 2020|date=September 17, 2011}}</ref>
+| Author         = Multiple authors; one serving prison time<ref name="Nimdadmin">{{cite web|url=https://www.theregister.com/2011/09/17/nimda_anniversary/|title=Ten years on from Nimda|publisher=TheRegister.com|access-date=October 27, 2020|date=September 17, 2011}}</ref>
 | Ports used     =
 | OSes           = [[Microsoft Windows|Windows]] [[Windows 95|95]] – [[Windows XP|XP]]
 | Filesize       =
-| Language       = C++<ref>{{cite web|url=http://www.kaspersky.com/about/news/virus/2001/Information_about_the_Network_Worm_Nimda_|title=Information about the Network Worm "Nimda" &#124; Kaspersky Lab|publisher=Kaspersky.com|date=2001-09-18 |access-date=2016-06-04|archive-url=https://web.archive.org/web/20160807233000/http://www.kaspersky.com/about/news/virus/2001/Information_about_the_Network_Worm_Nimda_|archive-date=August 7, 2016}}</ref>
+| Language       = C++<ref>{{cite web|url=http://www.kaspersky.com/about/news/virus/2001/Information_about_the_Network_Worm_Nimda_|title=Information about the Network Worm "Nimda"|work=Kaspersky Lab|publisher=Kaspersky.com|date=September 18, 2001|access-date=June 4, 2016|archive-url=https://web.archive.org/web/20160807233000/http://www.kaspersky.com/about/news/virus/2001/Information_about_the_Network_Worm_Nimda_|archive-date=August 7, 2016}}</ref>
 }}
-'''Nimda''' is a malicious file-infecting [[computer worm]]. It quickly spread, surpassing the economic damage caused by previous outbreaks such as [[Code Red (computer worm)|Code Red]].
+The '''Nimda virus''' is a malicious file-infecting [[computer worm]].
+The first released advisory about this threat (worm) was released on September 18, 2001.
-The first released advisory about this thread (worm) was released on September 18, 2001.<ref>{{cite web|url=https://www.cert.org/historical/advisories/CA-2001-26.cfm|title=CA-2001-26|work=CERT|publisher=[[Carnegie Mellon University]]|date=September 18, 2001|archive-url=https://web.archive.org/web/20140226175440/https://www.cert.org/historical/advisories/CA-2001-26.cfm|archive-date=February 26, 2014|url-status=live}}</ref> Due to the release date, exactly one week after the [[September 11 attacks|attacks on the World Trade Center and Pentagon]], some media quickly began speculating a link between the virus and [[Al Qaeda]], though this theory ended up proving unfounded.{{cn|date=May 2021}}
-Nimda affected both user workstations ([[Client (computing)|clients]]) running [[Windows 95]], [[Windows 98|98]], [[Windows NT 4.0|NT]], [[Windows 2000|2000]] or [[Windows XP|XP]] and [[Server (computing)|server]]s running Windows NT and 2000.
+Nimda affected both user workstations ([[Client (computing)|clients]]) running [[Windows 95]], [[Windows 98|98]], [[Windows NT 4.0|NT]], [[Windows 2000|2000]], or [[Windows XP|XP]] and [[Server (computing)|server]]s running Windows NT and 2000.<ref name=cert>{{cite web|url=https://www.cert.org/historical/advisories/CA-2001-26.cfm|title=CA-2001-26: Nimda Worm|website=[[CERT Coordination Center]]|publisher=[[Carnegie Mellon University]]|date=September 18, 2001|archive-url=https://web.archive.org/web/20140226175440/https://www.cert.org/historical/advisories/CA-2001-26.cfm|archive-date=February 26, 2014|url-status=dead}}</ref>
-The worm's name origin comes from the reversed spelling of "[[System administrator|admin]]".
+The worm's name comes from the reversed spelling of "[[System administrator|admin]]".<ref name="Nimdadmin"/>
-[[F-Secure]] found the text<ref>{{cite web|url=http://www.f-secure.com/v-descs/nimda.shtml|title=Net-Worm: W32/Nimda Description &#124; F-Secure Labs|publisher=F-secure.com|access-date=2016-06-04}}</ref> "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code, suggesting its country of origin.
+[[F-Secure]] found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code, suggesting its country of origin. However, they also noted that a computer in Canada was responsible for an October 11, 2001 release of infected emails alleging to be from [[Mikko Hyppönen]] and Data Fellows (F-Secure's previous name).<ref>{{cite web|url=http://www.f-secure.com/v-descs/nimda.shtml|title=Net-Worm: W32/Nimda Description|work=F-Secure Labs|publisher=F-secure.com|access-date=June 4, 2016}}</ref>
 ==Methods of infection==
-Nimda was so effective partially because it—unlike other infamous malware like  [[Code Red (computer worm)|Code Red]]—uses five different infection [[Vector (malware)|vectors]]:
+Nimda proved effective partially because it—unlike other infamous malware like  [[Code Red (computer worm)|Code Red]]—uses five different infection [[Attack vector|vectors]]:
-* [[E-mail|Email]]
+* [[Email]]
 * Open [[Shared resource|network shares]]
 * Browsing of compromised [[Website|web sites]]
-* [[Exploit (computer security)|Exploitation]] of various [[Internet Information Services]] (IIS) 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS Server.<ref>{{cite web|url=http://seifried.org/lasg/introduction-to-security/|title=Kurt Seifried - LASG / Introduction to security|publisher=Seifried.org|access-date=2016-06-04}}</ref>)
+* [[Exploit (computer security)|Exploitation]] of various [[Internet Information Services]] (IIS) 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS Server.<ref>{{cite web|url=http://seifried.org/lasg/introduction-to-security/|title=Kurt Seifried - LASG / Introduction to security|publisher=Seifried.org|access-date=June 4, 2016}}</ref>)
+* Back doors left behind by the "Code Red II" and "[[sadmind]]/IIS" worms.<ref>{{Cite book|last1=Chen|first1=Thomas M.|chapter-url=https://www.taylorfrancis.com/chapters/edit/10.1201/9781420030884-19/evolution-viruses-worms-thomas-chen-jean-marc-robert|title=Statistical Methods in Computer Security|last2=Robert|first2=Jean-Marc|editor-first1=William W.S |editor-last1=Chen |chapter=The Evolution of Viruses and Worms |year=2004 |isbn=9780429131615|doi=10.1201/9781420030884 }}</ref>
-* Back doors left behind by the "Code Red II" and "[[sadmind]]/IIS" worms.
 ==See also==