Nimda
Malicious file infecting computer worm
| Technical name | Avast: Win32:Nimda Avira: W32/Nimda.eml BitDefender: Win32.Nimda.A@mm ClamAV: W32.Nimda.eml Eset: Win32/Nimda.A Grisoft: I-Worm/Nimda Kaspersky: Net-Worm.Win32.Nimda or I-Worm.Nimda McAfee: Exploit-MIME.gen.ex Sophos: W32/Nimda-A Symantec: W32.Nimda.A@mm |
|---|---|
| Type | Multi-vector worm |
| Point of origin | China (alleged) |
| Author(s) | Multiple authors; one serving prison time [1] |
| Operating system(s) affected | Windows 95 – XP |
| Written in | C++[2] |
The Nimda virus is a malicious file-infecting computer worm. It quickly spread, surpassing the economic damage[citation needed] caused by previous outbreaks such as Code Red.
The first released advisory about this threat (worm) was released on September 18, 2001.[3] Due to the release date, exactly one week after the attacks on the World Trade Center and Pentagon, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.[citation needed]
Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000, or XP and servers running Windows NT and 2000.[3]
The worm's name comes from the reversed spelling of "admin".[citation needed]
F-Secure found the text "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code, suggesting its country of origin. However, they also noted that a computer in Canada was responsible for an October 11, 2001 release of infected emails alleging to be from Mikko Hyppönen and Data Fellows (F-Secure's previous name).[4]
Methods of infection
Nimda proved effective partially because it—unlike other infamous malware like Code Red—uses five different infection vectors:
- Open network shares
- Browsing of compromised web sites
- Exploitation of various Internet Information Services (IIS) 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS Server.[5])
- Back doors left behind by the "Code Red II" and "sadmind/IIS" worms.[6]
See also
References
- ^ "Ten years on from Nimda". TheRegister.com. September 17, 2011. Retrieved October 27, 2020.
- ^ "Information about the Network Worm "Nimda"". Kaspersky Lab. Kaspersky.com. September 18, 2001. Archived from the original on August 7, 2016. Retrieved June 4, 2016.
- ^ a b "CA-2001-26: Nimda Worm". CERT Coordination Center. Carnegie Mellon University. September 18, 2001. Archived from the original on February 26, 2014.
- ^ "Net-Worm: W32/Nimda Description". F-Secure Labs. F-secure.com. Retrieved June 4, 2016.
- ^ "Kurt Seifried - LASG / Introduction to security". Seifried.org. Retrieved June 4, 2016.
- ^ Chen, Thomas M.; Robert, Jean-Marc (2004). "The Evolution of Viruses and Worms". In Chen, William W.S (ed.). Statistical Methods in Computer Security. doi:10.1201/9781420030884. ISBN 9780429131615.
External links
- Cert advisory on Nimda
- Antivirus vendor F-Secure's info on Nimda
- v
- t
- e
Hacking in the 2000s
| ← 1990s | Timeline | 2010s → |
| 2004 |
|
|---|---|
| 2005 | |
| 2007 |
|
| 2008 | |
| 2009 |
|
- Anonymous
- Avalanche
- GNAA
- 0x1fe
- GhostNet
- PLA Unit 61398
- RBN
- ShadowCrew
- TeamLoosh
- World of Hell
- Sandworm
- AKill
- Jeanson James Ancheta
- SilenZ
- Dshocker
- Digerati
- str0ke (milw0rm)
- Lil Hacker
- BadB
- camZero
- Coolio
- Cyxymu
- diabl0
- Albert Gonzalez
- Sven Jaschan
- Dan Kaminsky
- Samy Kamkar
- Dmitry Sklyarov
- Stakkato
- Bluehell IRC
- ryan1918
- unkn0wn.eu
- darksun.ws
discovered
- Shatter attack (2002)
- Kaminsky DNS cache poisoning (2008)
- sslstrip (2009)
| 2000 | |
|---|---|
| 2001 |
|
| 2002 |
|
| 2003 |
|
| 2004 |
|
| 2005 |
|
| 2006 | |
| 2007 |
|
| 2008 | |
| 2009 |
