F-Secure Anti-Virus detects the worm with updates released on
September 18th, 2001 19:20 EET. Disinfection was added in the
updates from September 19th, 2001 17:12 EET.
For removal instructions, see the bottom of the page.
GENERAL INFORMATION
Nimda is a complex virus with a mass mailing worm component which
spreads itself in attachments named README.EXE. If affects
Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000
users.
Nimda is the first worm to modify existing web sites to start
offering infected files for download. Also it is the first worm
to use normal end user machines to scan for vulnerable web sites.
This technique enables Nimda to easily reach intranet web sites
located behind firewalls - something worms such as Code Red
couldn't directly do.
The actual lifecycle of Nimda can be split to four parts:
1) Infecting files, 2) Mass mailing,
3) Web worm and 4) LAN propagation.
1) File infection
Nimda locates EXE files from the local machine and infects them
by putting the file inside its body as a resource, thus
'assimilating' that file.These files then spread the infection
when people exchange programs such as games.
2) Mass mailer
Nimda locates e-mail addresses via MAPI from your e-mail client
as well as searching local HTML files for additional addresses.
Then it sends one e-mail to each address. These mails contain an
attachment called README.EXE, which might be executed
automatically on some systems.
3) Web worm
Nimda starts to scan the internet, trying to locate www servers.
Once a web server is found, the worm tries to infect it by using
several known security holes. If this succeeds, the worm will
modify random web pages on the site. End result of this
modification is that web surfers browsing the site will get
automatically infected by the worm.
4) LAN propagation
The worm will search for file shares in the local network, either
from file servers or from end user machines. Once found, it will
drop a hidden file called RICHED20.DLL to any directory which has
DOC and EML files. When other users try to open DOC or EML files
from these directories, Word, Wordpad or Outlook will execute
RICHED20.DLL causing an infection of the PC. The worm will also
infect remote files if it was started on a server.
TECHNICAL DETAILS
First it should be noted that the worm behaves differently when
started from files with different file names and with different
command lines.
Starting on a server:
If the name of worm's file is ADMIN.DLL, the worm creates a mutex
with 'fsdhqherwqi2001' name, copies itself as MMC.EXE into
\Windows\ directory and starts this file with '-qusery9bnow'
command line. Usually the worm is started as ADMIN.DLL on
infected webservers. In this case the worm starts to scan and
infect files on all available drives including removable and
network ones. The EXE files (except WINZIP32.EXE) on these drives
will get infected with the worm. The infection technique the worm
uses is new - the worm puts an infected file inside its body as a
resource. When the infected file is run, the worm extracts the
embedded original EXE file, runs it and tries to delete it
afterwards. If instant deletion is not possible, the worm creates
WININIT.INI file that will delete the extracted file on next
Windows startup.
The worm also accesses
[SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads
subkeys from there and infects all files listed in the subkeys.
The worm doesn't infect WinZip32.exe file. Also the worm reads
user's personal folders from
[Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders] key and infects files in these folders as well.
Then the worm starts to search local hard drives for *.HTML,
.ASP, and .HTM files and if such files are found, the worm
creates README.EML file (which is the multi-partite message with
MIME-encoded worm) in the same directory and adds a small
JavaScript code to the end of found files. That JavaScript code
would open README.EML file when the infected HTML file is loaded
by a web browser. As a result the MIME-encoded worm will get
activated because of a security hole and a system will get
infected.
The worm's file runs from a minimized window when downloaded from
an infected webserver. This technique affects users who are
browsing the web with Internet Explorer 5.0 or 5.01.
The worm will also put *.EML and *.NWS files in almost all
folders of computers it accesses. The RICHED20.DLL file with
hidden and system attribute will be put in all folders where DOC
or EML files are located. The worm will also try to replace
Windows' original RICHED20.DLL file with its own copy.
Starting on a workstation:
If the worm is started from README.EXE file (or a file that has
more than 5 symbols in its name and EXE extension), it copies
itself to temporary folder with a random name that has 'MEP*.TMP'
name and runs itself there with '-dontrunold' command line
option.
When started, the worm loads itself as a DLL library, looks for a
specific resource there and checks its size. If the resource size
is less than 100, the worm unloads itself, otherwise it extracts
its resource to a file and launches it. Checking the resource
size is done to be able to detect if a worm runs from infected
EXE files.
Then the worm gets current time and generates a random number.
After performing a few arithmetic operations with this number the
worm checks the result. If a result is bigger than worm's
counter, the worm starts to search and delete README*.EXE files
from temporary folder.
After that the worm prepares its MIME-encoded copy by extrating a
pre-defined multi-partite MIME message from its body and
appending its MIME-encoded copy to it. The file with a random
name is created in a temporary folder.
The worm then looks for EXPLORER process, opens it and assigns
its process as remote thread of Explorer. On some platforms the
worm fails to run as Explorer's thread. The worm gets API creates
a mutex with 'fsdhqherwqi2001' name, startups Winsock services,
gets an infected computer (host) info and sleeps for some time.
When resumed, the worm checks what platform it is running. If it
is running on NT-based system, it compacts its memory blocks to
occupy less space in memory and copies itself as LOAD.EXE to
Windows system directory. Then it modifies SYSTEM.INI file by
adding the following string after SHELL= variable in [Boot]
section:
explorer.exe load.exe -dontrunold
This will start the worm's copy every time Windows starts. The
worm also copies itself as RICHED20.DLL file to system folder and
sets hidden and system attributes to this file as well as to
LOAD.EXE file. Then the worm enumerates shared network resources
and starts to recursively scan files on remote systems.
When searching for files on remote systems the worm looks for
.DOC and .EML files and then copies its binary image with
RICHED20.DLL name to the folders where DOC and EML files are
located. The copied DLL file has system and hidden attributes.
This is done to increase the chances of worm activation on remote
systems as Windows' original RICHED20.DLL component is used to
open OLE files. But instead the worm's RICHED20.DLL file from
current directory will be launched.
Also when the worm browsing the remote computers' directories it
creates .EML and .NWS (rarely) files that have the names of
document or webpage files that the worm could find on a remote
system. These .EML and .NWS files are worm's multi-partite
messages with a worm MIME-encoded in them. When scanning the worm
can also delete the .EML and .NWS files it previously created.
The worm doesn't try to infect local or remote EXE files when
started from a workstation.
E-Mail spreading:
The worm searches trough all the '.htm' and '.html' file in the
Temporary Internet Files folder for e-mail addresses. It reads
trough user's inbox and collects the sender addresses. When the
address list is ready it uses it's own SMTP engine to send the
infected messages.
IIS spreading:
The worm uses backdoors on IIS servers such as the one CodeRed II
installs. It scans random IP addresses for these backdoors. When
a host is found to have one the worm instructs the machine to
download the worm code (Admin.dll) from the host used for
scanning. After this it executes the worm on the target machine
this way infecting it.
Affecting the security:
The worm adjusts the properties of Windows Explorer, it accesses
[Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] key
and adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys.
This affects Windows' (especially ME and 2000) ability to show
hidden files - worm's files will not be seen in Explorer any
more.
After that the worm adds a 'guest' account to infected system
account list, activates this account, adds it to 'Administrator'
and 'Guests' groups and shares C:\ drive with full access
priviledges. The worm also deletes all subkeys from
[SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
key to disable sharing security.
Additional information:
The worm has a copyright text string that is never displayed:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It should be said that the worm has bugs that cause crashes or
inability to spread itself in certain conditions.
DISINFECTION INSTRUCTIONS
F-Secure Anti-Virus with the latest updates can detect and
disinfect Nimda infections. But full disinfection of the worm
will require some additional manual actions.
The F-NIMDA tool was developed to automate these actions. If
you wish to do them by hand, follow the instructions below.
Otherwise, download F-NIMDA from
If you're running Windows ME, you need to turn off the Autorestore
functionality before starting any disinfection. Do this by
clicking My Computer on desktop, then Performance->File System
->Troubleshooting->Disable System Restore. Turn it back on when done.
To disinfect the worm and restore security of affected workstations,
please follow these instructions:
1. Disable all network sharing or temporarily kill the network.
This is a _must_ as the worm uses the network to spread itself.
2. Scan _all_ files (not just files with selected extensions) on
all local hard drives and clean all infected EXE files using
F-Secure Anti-Virus and the latest updates. It is recommended
that you use one of the latest FSAV versions to remove infection.
3. Delete or rename (if not possible to delete instantly) all
non-disinfectable or locked files including worm droppers
(typically 57kB in size):
MMC.EXE (in Windows directory)
LOAD.EXE (in Windows' system directory)
ADMIN.DLL (in root folder of all local hard drives)
RICHED20.DLL (in all folders on all local hard drives)
All *.EML and *.NWS files (typically 79kB in size) that are
detected as infected with Nimda should be deleted. Note that
you might have clean EML files as well, for example if you've
saved e-mails to file from Outlook Express, so only delete
files that FSAV detects as infected.
If an infected file is locked by Windows, complete disinfection,
exit to pure DOS or boot your system with a clean system diskette
and rename/delete the file manually. In case of NT/2000 based
system the locked file(s) should be renamed with a non-executable
extension to ensure that it doesn't start when Windows is booted
next time.
4. Restart a system. Do not connect it to the network yet. It is
advised to scan all files on all local drives with FSAV again to
ensure that there are no more infected files in a system.
5. Locate SYSTEM.INI file in your Windows directory and open it
with Wordpad or Notepad. Replace the string "shell=explorer.exe
load.exe -donotloadold" with "shell=explorer.exe" string.
6. Delete all files with .TMP extensions from your local
temporary directories - typically \Temp\ or \Windows\Temp\ or
\documents and settings\username\local settings\temp.
7. Copy a clean RICHED20.DLL file to \Windows\System\ or
\WinNT\System32\ folders. This DLL file is used by many
applications and they won't run if this DLL is missing.
You can locate a clean RICHED20.DLL file from a clean
Windows machine, or extract it from Office 2000 CD
with this command:
8. Remove all shares from all local hard drives and renew these
shares with correct access rights if needed. This needs to be
done because the worm affects shares security. Check especially
the \\localhost\c$ share rights.
9. Remove 'Guest' account and renew it with correct access rights
and group placement ('Guest' account should not be in
'Administrators' group).
10. Check all *.HTML, *.ASP, and *.HTM as well as files that have
'DEFAULT', 'INDEX', 'MAIN' and 'README' words in their filenames
for the small JavaScript code referring to README.EML file and
remove it or restore the affected files from a backup. This
JavaScript code is located in the very end of affected files.
11. When cleaning a webserver from Nimda, the CodeRed II backdoor
infections should be removed as well. Please refer to 'CodeRed'
description and cleaning instructions.
12. Correct Windows Explorer's settings concerning displaying of
hidden files and certain extensions if necessary as the worm
makes Explorer to hide certain files and extensions.
13. Restore network connections only after all workstations are
disinfected or the worm will re-infected already clean computers!
ABOUT INFECTED WEB SITES
A web site can get infected in two ways:
1) Infected htmls are copied the secure site. This can happen even
if you're using a patched version of IIS or something else entirely
(such as Apache or Netscape). If there are infected computers in
your organization, their local html files get infected. Users might
then later copy or upload such infected pages to your www server.
Alternatively, if your www files are accessible via file sharing
the worm might infect them directly from a workstation. To clean your
site, locate all html pages which refer to "README.EML" and remove the
extra Javascript code from the end of the pages.
2) Direct web worm infection. If your web site is running an unsafe
version of IIS, the worm can infect your site by accessing it through
http. After this it will restart spreading from your server. In this
case, it is not enough to just clean the virus - your web server is
unsafe and has been so for a while. It's likely there have been previous
illegimate accesses to your site as well and it should be considered
compromised. We recommend rebuilding the web server and applying latest
patches before restoring clean copies of the html pages.
Remember, F-Secure Management Server 4.x uses IIS as a web server
platform. Keep them patched. F-Secure Policy Manager Server 5.0 and
higher do NOT use IIS.
IMPORTANT NOTE
Around 15:00 GMT on 11th of October, 2001, hundreds of e-mails infected with
Nimda.A was sent to various addresses around the world. These e-mails looked like
they were sent by "mikko.hypponen@datafellows.com" (do note that F-Secure used to
be called datafellows.com; company name and domain was changed in early 2000).
Mr. Mikko Hypponen is our Manager of Anti-Virus Research. He naturally had
nothing to do with this incident. These e-mails were apparently sent from an
infected machine located somewhere in Canada.
F-SECURE ANTI-VIRUS
F-Secure Anti-Virus detects the worm with updates released on
September 18th, 2001 19:20 EET. Disinfection was added in the
updates from September 19th, 2001 17:12 EET.
