Saltar al contenido principal

"Nimda" Is Breeding

30 de octubre de 2001

<p>Since "Nimda" was discovered on September 18, 2001 Kaspersky Labs has detected 5 more modifications of this network worm. Some of them have already been seen "in-the-wild" but fortunately none of them has caused an epidemic compared to the original one. Kaspersky Labs recommends users to carefully read the descriptions of the recently discovered Nimda modifications and to download the latest Kaspersky<sup>TM</sup> Anti-Virus database updates to prevent infection. </p>

5 modifications of the worm have already been detected

Since "Nimda" was discovered on September 18, 2001 Kaspersky Lab has detected 5 more modifications of this network worm. Some of them have already been seen "in-the-wild" but fortunately none of them has caused an epidemic compared to the original one. Kaspersky Lab recommends users to carefully read the descriptions of the recently discovered Nimda modifications and to download the latest KasperskyTM Anti-Virus database updates to prevent infection.

Nimda.a

The original worm discovered on September 18, 2001.

"Nimda" penetrates a computer in several different ways:

First of all, via e-mail: an infected e-mail in HTML format, containing several embedded objects enters a target computer. Upon viewing the e-mail, one of the objects (named README.EXE, about 57Kb size) is automatically executed unbeknownst to the user. In order to accomplish this, the worm exploits a breach in Internet Explorer's security that was first detected in March of this year.

Secondly, while surfing infected Web sites: in place of the original Web site, a user is shown its modified version containing a malicious Java program, which downloads and starts the "Nimda" copy on a remote computer, using the aforementioned breach.

Thirdly, via the local network: the worm scans all accessible network resources, dropping thousands of copies of itself here. This is done with the idea that upon finding the file on a disk or server, a user will single-handedly infect his/her own computer.

In addition to penetrating workstations, "Nimda" also carries out an attack on Web servers running under Microsoft Internet Information Server (IIS). To do this it exploits a breach in IIS called "Web Server Folder Traversal" as described in the corresponding Microsoft security bulletin.

Nimda.b

Slightly modified original "Nimda" worm, but compressed with PCShrink utility. The filenames "README.EXE" and "README.EML" are replaced with "PUTA!!.SCR" and "PUTA!!.EML".

Nimda.c

This is exactly original "Nimda" worm, but compressed by UPX compressor.

Nimda.d

Slightly modified original "Nimda" worm, but compressed with PECompact utility. The only difference with the original worm is "copyright" text strings are patched in this version with following text: "HoloCaust Virus.! V.5.2 by Stephan Fernandez.Spain".

Nimda.e

This is recompiled "Nimda" variant with several subroutines fixed and optimized. This variant was found in-the-wild at the end of October 2001. The visible differences with original worm version are:

The attached file name: SAMPLE.EXE (instead of README.EXE)
The DLL files are: HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL)

The "copyright" text is replaced with:
Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

A more detailed description of the worm is available in the Kaspersky Virus Encyclopedia.

Defense procedures thwarting all known modifications of "Nimda" have already been added to the Kaspersky Anti-Virus database update.

"Nimda" Is Breeding

<p>Since "Nimda" was discovered on September 18, 2001 Kaspersky Labs has detected 5 more modifications of this network worm. Some of them have already been seen "in-the-wild" but fortunately none of them has caused an epidemic compared to the original one. Kaspersky Labs recommends users to carefully read the descriptions of the recently discovered Nimda modifications and to download the latest Kaspersky<sup>TM</sup> Anti-Virus database updates to prevent infection. </p>
Kaspersky logo

Sobre Kaspersky

Kaspersky es una empresa de ciberseguridad y privacidad digital global fundada en 1997. Con más de mil millones de dispositivos protegidos hasta la fecha ante ciberamenazas emergentes y ataques dirigidos, la enorme experiencia de Kaspersky en cuestión de información y seguridad ante amenazas se transforma de forma constante en soluciones y servicios innovadores que ofrecen protección a negocios, infraestructuras vitales, gobiernos y consumidores de todo el mundo. El completísimo catálogo de la compañía incluye los mejores productos y servicios de protección de terminales, así como soluciones de ciberinmunidad para combatir amenazas digitales sofisticadas y en constante evolución. Ayudamos a que más de 200 000 clientes corporativos protejan aquello que más les importa. Más información en www.kaspersky.es.

Artículo relacionado Comunicados de prensa