Nimda (computer worm)
Encyclopedia
Nimda is a computer worm
, and is also a file infector. It quickly spreads, eclipsing the economic damage caused by past outbreaks such as Code Red
. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes.
The worm was released on September 18, 2001. Due to the release date, exactly one week after the attacks on the World Trade Center and Pentagon
, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
Nimda affected both user workstations (clients
) running Windows 95
, 98
, Me
, NT
, 2000
or XP
and server
s running Windows NT and 2000.
The worm's name origin comes from the reversed spelling of it, which is "admin
".
F-Secure
found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code.
—uses five different infection vectors:
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, and is also a file infector. It quickly spreads, eclipsing the economic damage caused by past outbreaks such as Code Red
Code Red (computer worm)
The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh...
. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes.
The worm was released on September 18, 2001. Due to the release date, exactly one week after the attacks on the World Trade Center and Pentagon
September 11, 2001 attacks
The September 11 attacks The September 11 attacks The September 11 attacks (also referred to as September 11, September 11th or 9/119/11 is pronounced "nine eleven". The slash is not part of the pronunciation...
, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
Nimda affected both user workstations (clients
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
) running Windows 95
Windows 95
Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
, 98
Windows 98
Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...
, Me
Windows Me
Windows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....
, NT
Windows NT 4.0
Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
, 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
or XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
s running Windows NT and 2000.
The worm's name origin comes from the reversed spelling of it, which is "admin
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
".
F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code.
Methods of infection
Nimda was so effective partially because it—unlike other infamous malware like the Morris worm or Code RedCode Red (computer worm)
The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh...
—uses five different infection vectors:
- via emailE-mailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
- via open network sharesShared resourceIn computing, a shared resource or network share is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise Intranet, transparently as if it were a resource in the local machine.Examples are shared file...
- via browsing of compromised web sitesWebsiteA website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
- exploitationExploit (computer security)An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.) - via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.