Nimda is a
computer wormA computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program...
, and is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks such as
Code RedThe Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh...
. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes.
The worm was released on September 18, 2001. Due to the release date, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
Nimda affected both user workstations (
clientsA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
) running
Windows 95Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
,
98Windows 98 is a graphical operating system by Microsoft. It was released on June 25, 1998, and is the successor to Windows 95. Like its predecessor, it is a hybrid 16-bit/32-bit monolithic product based on MS-DOS...
,
MeWindows Millennium Edition, or Windows Me , is a hybrid 16-bit/32-bit graphical operating system released on September 14, 2000 by Microsoft.- Overview :...
,
NTWindows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
,
2000Windows 2000 is a line of operating systems produced by Microsoft for use on business desktops, notebook computers, and servers. Released on February 17, 2000, it was the successor to Windows NT 4.0, and is the final release of Microsoft Windows to display the "Windows NT" designation...
or
XPWindows XP is a line of operating systems produced by Microsoft for use on personal computers, including home and business desktops, laptops, and media centers. The name "XP" is short for "eXPerience"...
and
serverA server is an application running on a computer that delivers a service. For example, a web server will deliver web pages when requested by a browser . The way a server and a client dialogs is called a protocol...
s running Windows NT and 2000.
The worm's name spelled backwards is "
adminA system administrator, systems administrator, or sysadmin, is a person employed to maintain and operate a computer system and/or network. System administrators may be members of an information technology department....
".
F-SecureF-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has branch offices in the USA and Japan, where antivirus analysis and software development work is ongoing. F-Secure Corp...
found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code.
Nimda was so effective partially because it—unlike other infamous malware like the Morris worm or Code Red—uses five different infection vectors:
- via email
Electronic mail, often abbreviated as email or e-mail, is a method of exchanging digital messages, designed primarily for human use...
- via open network shares
In computing, a shared resource or network share is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise Intranet, as if it were a resource in the local machine.Examples are shared file access ,...
- via browsing of compromised web sites
A website is a collection of related web pages, images, videos or other digital assets that are addressed with a common domain name or IP address in an Internet Protocol-based network...
- exploitation
An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities.
Discussion
Ask a question about 'Nimda (computer worm)' Start a new discussion about 'Nimda (computer worm)' Answer questions from other users |
Nimda is a
computer wormA computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program...
, and is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks such as
Code RedThe Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh...
. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes.
The worm was released on September 18, 2001. Due to the release date, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
Nimda affected both user workstations (
clientsA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
) running
Windows 95Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
,
98Windows 98 is a graphical operating system by Microsoft. It was released on June 25, 1998, and is the successor to Windows 95. Like its predecessor, it is a hybrid 16-bit/32-bit monolithic product based on MS-DOS...
,
MeWindows Millennium Edition, or Windows Me , is a hybrid 16-bit/32-bit graphical operating system released on September 14, 2000 by Microsoft.- Overview :...
,
NTWindows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
,
2000Windows 2000 is a line of operating systems produced by Microsoft for use on business desktops, notebook computers, and servers. Released on February 17, 2000, it was the successor to Windows NT 4.0, and is the final release of Microsoft Windows to display the "Windows NT" designation...
or
XPWindows XP is a line of operating systems produced by Microsoft for use on personal computers, including home and business desktops, laptops, and media centers. The name "XP" is short for "eXPerience"...
and
serverA server is an application running on a computer that delivers a service. For example, a web server will deliver web pages when requested by a browser . The way a server and a client dialogs is called a protocol...
s running Windows NT and 2000.
The worm's name spelled backwards is "
adminA system administrator, systems administrator, or sysadmin, is a person employed to maintain and operate a computer system and/or network. System administrators may be members of an information technology department....
".
F-SecureF-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has branch offices in the USA and Japan, where antivirus analysis and software development work is ongoing. F-Secure Corp...
found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code.
Methods of infection
Nimda was so effective partially because it—unlike other infamous malware like the Morris worm or Code Red—uses five different infection vectors:
- via email
Electronic mail, often abbreviated as email or e-mail, is a method of exchanging digital messages, designed primarily for human use...
- via open network shares
In computing, a shared resource or network share is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise Intranet, as if it were a resource in the local machine.Examples are shared file access ,...
- via browsing of compromised web sites
A website is a collection of related web pages, images, videos or other digital assets that are addressed with a common domain name or IP address in an Internet Protocol-based network...
- exploitation
An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.)
- via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.
External links