A new worm, dubbed Nimda (admin spelled backwards), has been spreading rapidly across the Internet affecting both businesses and home computer users. The worm takes advantage of various unpatched software, including Outlook, Microsoft Internet Explorer (IE), and Microsoft IIS, to spread.
Nimda can arrive as an email message with a file attachment named readme.exe. The body of the email message might appear to be blank but actually contains embedded code that causes the worm to active when a user views the message. On activation, the worm copies itself into the system directory as a file called load.exe and overwrites the riched20.dll file, which Wordpad uses. Nimda also modifies the system.ini to cause the load.exe program to run each time a user reboots the system.
Nimda uses Messaging API (MAPI)-based system calls to gather email addresses that the infected system has stored. The worm uses its own SMTP server to send itself to all those addresses. Nimda also enables the Guest account with blank passwords and creates a share on each infected system that exposes the C: drive.
for /R %f in (*.htm *.html *.asp) do ren "%f" "%~nf.old" & findstr /L /V "readme.eml" "%~pf%~nf.old" >"%f"
Last week, Microsoft released its new URLScan IIS filter, which as it turns out, prevents infection from Nimda. URLScan is flexible and highly configurable, so users can make it reject any request that contains Unicode characters. Because Nimda relies on Unicode characters to infect IIS systems, URLScan prevents infection nicely. The filter is available on the Microsoft Web site.
Microsoft also posted specific information regarding the Nimda worm that details several actions users should take for infected systems. Included in the document is a list of patches (some as much as a year old) and procedures that users should apply to prevent similar problems in the future.