Nimda

Malicious file infecting computer worm

Nimda
Technical name	Avast: Win32:Nimda Avira: W32/Nimda.eml BitDefender: Win32.Nimda.A@mm ClamAV: W32.Nimda.eml Eset: Win32/Nimda.A Grisoft: I-Worm/Nimda Kaspersky: Net-Worm.Win32.Nimda or I-Worm.Nimda McAfee: Exploit-MIME.gen.ex Sophos: W32/Nimda-A Symantec: W32.Nimda.A@mm
Type	Multi-vector worm
Origin	China (alleged)
Authors	Multiple authors; one serving prison time^[1]
Technical details
Platform	Windows 95 – XP
Written in	C++^[2]

The Nimda virus is a malicious file-infecting computer worm.

The first released advisory about this threat (worm) was released on September 18, 2001.

Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000, or XP and servers running Windows NT and 2000.^[3]

The worm's name comes from the reversed spelling of "admin".^[1]

F-Secure found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code, suggesting its country of origin. However, they also noted that a computer in Canada was responsible for an October 11, 2001 release of infected emails alleging to be from Mikko Hyppönen and Data Fellows (F-Secure's previous name).^[4]

Methods of infection

Nimda proved effective partially because it—unlike other infamous malware like Code Red—uses five different infection vectors:

Email
Open network shares
Browsing of compromised web sites
Exploitation of various Internet Information Services (IIS) 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS Server.^[5])
Back doors left behind by the "Code Red II" and "sadmind/IIS" worms.^[6]

References

^ ^a ^b "Ten years on from Nimda". TheRegister.com. September 17, 2011. Retrieved October 27, 2020.
^ "Information about the Network Worm "Nimda"". Kaspersky Lab. Kaspersky.com. September 18, 2001. Archived from the original on August 7, 2016. Retrieved June 4, 2016.
^ "CA-2001-26: Nimda Worm". CERT Coordination Center. Carnegie Mellon University. September 18, 2001. Archived from the original on February 26, 2014.
^ "Net-Worm: W32/Nimda Description". F-Secure Labs. F-secure.com. Retrieved June 4, 2016.
^ "Kurt Seifried - LASG / Introduction to security". Seifried.org. Retrieved June 4, 2016.
^ Chen, Thomas M.; Robert, Jean-Marc (2004). "The Evolution of Viruses and Worms". In Chen, William W.S (ed.). Statistical Methods in Computer Security. doi:10.1201/9781420030884. ISBN 9780429131615.

External links

Cert advisory on Nimda
Antivirus vendor F-Secure's info on Nimda

Hacking in the 2000s

← 1990s

Timeline

2010s →

Incidents

2004	Titan Rain (2003–2006) Operation Firewall
2005	Sony BMG copy protection rootkit scandal
2007	Cyberattacks on Estonia Operation: Bot Roast
2008	Project Chanology Cyberattacks on Georgia Sarah Palin email hack US military cyberattack
2009	Operation Troy Operation Aurora (findings published in 2010) WebcamGate (2008–2010)

Groups

Ac1db1tch3z
Anonymous
- associated events
Avalanche
GNAA
0x1fe
GhostNet
Level Seven
PLA Unit 61398
RBN
ShadowCrew
World of Hell
Sandworm

Individuals

Darknets

Bluehell IRC

Hacking forums

ryan1918
unkn0wn.eu
darksun.ws

Vulnerabilities
discovered

Malware

2000	ILOVEYOU Pikachu
2001	Anna Kournikova Code Red Nimda Klez
2002	Simile
2003	SQL Slammer Welchia Sobig Gruel Graybird Blaster
2004	Bagle NetSky Sasser Mydoom
2005	PGPCoder Samy Sony rootkit
2006	Rustock ZLOB Clickbot Stration
2007	Storm ZeuS Black Energy 1
2008	Asprox Agent.btz Mariposa
2009	Conficker Koobface Waledac