"Nimda" Is Breeding

29 Oct 2001
Virus News

5 modifications of the worm have already been detected

Since "Nimda" was discovered on September 18, 2001 Kaspersky Lab has detected 5 more modifications of this network worm. Some of them have already been seen "in-the-wild" but fortunately none of them has caused an epidemic compared to the original one. Kaspersky Lab recommends users to carefully read the descriptions of the recently discovered Nimda modifications and to download the latest KasperskyTM Anti-Virus database updates to prevent infection.

Nimda.a

The original worm discovered on September 18, 2001.

"Nimda" penetrates a computer in several different ways:

First of all, via e-mail: an infected e-mail in HTML format, containing several embedded objects enters a target computer. Upon viewing the e-mail, one of the objects (named README.EXE, about 57Kb size) is automatically executed unbeknownst to the user. In order to accomplish this, the worm exploits a breach in Internet Explorer's security that was first detected in March of this year.

Secondly, while surfing infected Web sites: in place of the original Web site, a user is shown its modified version containing a malicious Java program, which downloads and starts the "Nimda" copy on a remote computer, using the aforementioned breach.

Thirdly, via the local network: the worm scans all accessible network resources, dropping thousands of copies of itself here. This is done with the idea that upon finding the file on a disk or server, a user will single-handedly infect his/her own computer.

In addition to penetrating workstations, "Nimda" also carries out an attack on Web servers running under Microsoft Internet Information Server (IIS). To do this it exploits a breach in IIS called "Web Server Folder Traversal" as described in the corresponding Microsoft security bulletin.

Nimda.b

Slightly modified original "Nimda" worm, but compressed with PCShrink utility. The filenames "README.EXE" and "README.EML" are replaced with "PUTA!!.SCR" and "PUTA!!.EML".

Nimda.c

This is exactly original "Nimda" worm, but compressed by UPX compressor.

Nimda.d

Slightly modified original "Nimda" worm, but compressed with PECompact utility. The only difference with the original worm is "copyright" text strings are patched in this version with following text: "HoloCaust Virus.! V.5.2 by Stephan Fernandez.Spain".

Nimda.e

This is recompiled "Nimda" variant with several subroutines fixed and optimized. This variant was found in-the-wild at the end of October 2001. The visible differences with original worm version are:

The attached file name: SAMPLE.EXE (instead of README.EXE)
The DLL files are: HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL)

The "copyright" text is replaced with:
Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

A more detailed description of the worm is available in the Kaspersky Virus Encyclopedia.

Defense procedures thwarting all known modifications of "Nimda" have already been added to the Kaspersky Anti-Virus database update.