Login
Login

Nimda

{{short description|Malicious file infecting computer worm}}

{{ infobox computer virus

| Fullname = Nimda Virus

| Common name =

| Technical name = Avast: Win32:Nimda
Avira: W32/Nimda.eml
BitDefender: Win32.Nimda.A@mm
ClamAV: W32.Nimda.eml
Eset: Win32/Nimda.A
Grisoft: I-Worm/Nimda
Kaspersky: Net-Worm.Win32.Nimda or I-Worm.Nimda
McAfee: Exploit-MIME.gen.ex
Sophos: W32/Nimda-A
Symantec: W32.Nimda.A@mm

| Aliases =

| Family =

| Classification =

| Type = Multi-vector worm

| Subtype =

| IsolationDate =

| Origin = China (alleged)

| Author = Multiple authors; one serving prison time{{cite web|url=https://www.theregister.com/2011/09/17/nimda_anniversary/|title=Ten years on from Nimda|publisher=TheRegister.com|access-date=October 27, 2020|date=September 17, 2011}}

| Ports used =

| OSes = Windows 95XP

| Filesize =

| Language = C++{{cite web|url=http://www.kaspersky.com/about/news/virus/2001/Information_about_the_Network_Worm_Nimda_|title=Information about the Network Worm "Nimda"|work=Kaspersky Lab|publisher=Kaspersky.com|date=September 18, 2001|access-date=June 4, 2016|archive-url=https://web.archive.org/web/20160807233000/http://www.kaspersky.com/about/news/virus/2001/Information_about_the_Network_Worm_Nimda_|archive-date=August 7, 2016}}

}}

The Nimda virus is a malicious file-infecting computer worm.

The first released advisory about this threat (worm) was released on September 18, 2001.

Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000, or XP and servers running Windows NT and 2000.{{cite web|url=https://www.cert.org/historical/advisories/CA-2001-26.cfm|title=CA-2001-26: Nimda Worm|website=CERT Coordination Center|publisher=Carnegie Mellon University|date=September 18, 2001|archive-url=https://web.archive.org/web/20140226175440/https://www.cert.org/historical/advisories/CA-2001-26.cfm|archive-date=February 26, 2014|url-status=dead}}

The worm's name comes from the reversed spelling of "admin".

F-Secure found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code, suggesting its country of origin. However, they also noted that a computer in Canada was responsible for an October 11, 2001 release of infected emails alleging to be from Mikko Hyppönen and Data Fellows (F-Secure's previous name).{{cite web|url=http://www.f-secure.com/v-descs/nimda.shtml|title=Net-Worm: W32/Nimda Description|work=F-Secure Labs|publisher=F-secure.com|access-date=June 4, 2016}}

Methods of infection

Nimda proved effective partially because it—unlike other infamous malware like Code Red—uses five different infections vectors:

  • Email
  • Open network shares
  • Browsing of compromised web sites
  • Exploitation of various Internet Information Services (IIS) 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful in exploiting well-known and long-solved vulnerabilities in the Microsoft IIS Server.{{cite web|url=http://seifried.org/lasg/introduction-to-security/|title=Kurt Seifried - LASG / Introduction to security|publisher=Seifried.org|access-date=June 4, 2016}})
  • Back doors left behind by the "Code Red II" and "sadmind/IIS" worms.{{Cite book|last1=Chen|first1=Thomas M.|chapter-url=https://www.taylorfrancis.com/chapters/edit/10.1201/9781420030884-19/evolution-viruses-worms-thomas-chen-jean-marc-robert|title=Statistical Methods in Computer Security|last2=Robert|first2=Jean-Marc|editor-first1=William W.S |editor-last1=Chen |chapter=The Evolution of Viruses and Worms |year=2004 |isbn=9780429131615|doi=10.1201/9781420030884 }}

See also

References

External links

  • [http://www.cert.org/advisories/CA-2001-26.html Cert advisory on Nimda]
  • [http://www.f-secure.com/v-descs/nimda.shtml Antivirus vendor F-Secure's info on Nimda]

{{Hacking in the 2000s}}

Category:Exploit-based worms

Category:Windows file viruses

Category:Hacking in the 2000s

Category:2001 in computing