Nimda Spreading Via Many Paths

An aggressive hybrid of virus and worm has been running rampant across the Internet this week, slowing traffic and causing site shutdowns. But the real damage from W32.Nimda may end up being the cost to eradicate it.

In what is already a tense period -- with numerous government warnings of hacking threats in the wake of deadly terrorist attacks -- the Nimda outbreak shook security experts and users alike and sparked calls for increased vigilance from both network administrators and software vendors.

When Nimda first struck, many observers thought that a separate e-mail virus and a Code Red-like Internet Information Services-based worm were striking at the same time. It turned out that Nimda - with the most aggressively virulent propagation mechanisms ever seen -- was using four separate mechanisms to spread itself.

Roman Danyliw, Internet security analyst at the CERT Coordination Center at Carnegie Mellon University, said Nimdas multipronged attack is representative of the new breed of cyberthreat.

"This is certainly not the first worm weve seen that exploits [multiple weaknesses]," Danyliw said. "These types of attacks … are becoming the weapon of choice."

Nimdas spread through e-mail using an attachment called readme.exe that if opened or sent to unsecured Outlook accounts will cause the malicious code to be sent to contacts in the users address book. Nimda also spreads as a worm by using multiple known holes in Microsofts IIS server, making it much more aggressive than Code Red, which used one hole. (The patch for these holes is at Once on a server, the worm downloads and executes a .dll file, which gives it administrative access and opens the system guest account. The worm also spreads by accessing any network shares that allow access to the Guest account with no password required.

Nimdas most unique and dangerous propagation method, however, is through a users Web browser. Once Nimda gets control of an IIS system, it adds to all .html and .asp files a small piece of JavaScript that will attempt to spread the worm by forcing users to download and execute a file called readme.eml. When users access these Web pages, versions of Internet Explorer prior to Version 5.5 SP2 will automatically download and execute this file. Users of these versions can download a patch at or upgrade their browser.

Besides being aggressive in how it spreads itself, Nimda is also aggressive in how it spreads through an infected system. Once on a system, Nimda makes many changes to the registry, adds numerous files, and infects binaries and documents on the system. If any of these files are opened, Nimda will again begin to spread.

180,000 infected

Security experts at Trend Micro Inc. tracking Nimda said some 180,000 machines worldwide have been infected. The majority of those machines are in the United States, by a ratio of nearly 5-to-1, sources said.

Most security vendors contacted said the spread of the malicious code seems to have leveled off, though some speculated that the reduced appearance of Nimda may be due to large corporate users taking their networks down and disabling Web access for users.

In tests of an infected system, eWEEK Labs saw all of these signs of infection. An updated version of Norton Antivirus detected and removed a large number of infected files, and almost all anti-virus vendors now have versions that detect Nimda.

However, even many of these anti-virus vendors concede that, due to the virulent nature of Nimda, the only way to be certain that a system is clean is to reformat and reinstall the drive. This is also the recommendation for cleaning a system given by

Officials at security vendor Network Associates Inc. estimated some 2 million machines could ultimately be infected and cleanup costs could top a half-billion dollars.

CERTs Danyliw said the ability of worms to propagate quickly puts the onus on IT administrators and security services "to patch faster … [and] to get information about vulnerabilities out faster."

He stopped short of blaming weaknesses in Microsoft IIS outright, but said the real solution "is for the software industry to implement better processes that eliminate the holes in software in the first place."

Patches for the primary holes exploited by Nimda have been available for months, security experts said.

"A great debate exists in the security community on whether or not to hold vendors accountable for security flaws in their products," said Dr. Markus De Shon, senior security analyst at SecureWorks, in Atlanta. "Any complex product will have some flaws. A distinction needs to be made between vendors who exert a good faith effort to make a product secure and vendors who demonstrate a reckless disregard for security."

Kevin Baradet, network systems director at Cornell University in Ithaca, N.Y., and an eWEEK Corporate Partner, said the systems under his control remained mostly safe from Nimda because his teams had applied all the patches.

"Were sitting here fairly safe watching it all go by," Baradet said.

"Failure to properly apply [patches] would be the fault of systems admins and security teams," said Craig Rodenberg, information security manager at Data Return Corp., in Irving, Texas. "A software vendor is not going to administer your servers for you.

"Three worms have hit the U.S. in the past six months, all using the same IIS exploits," he added. "In each case, massive numbers of servers were infected because patches were not installed. Now theres a new worm, and people are again surprised to find that their servers are still not patched and are vulnerable."

Most users agree, but some say the task of security is getting to be overwhelming. "You basically have to start planning time into every week to respond to these kinds of things," Baradet said.