Class
Net-Worm
Platform
Win32

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Net-Worm

Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread. This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected e-mails, and copies itself to shared directories over a local network, and also attacks vulnerable IIS machines (Web sites). The worm itself is a Windows PE EXE file about 57Kb in length, and is written in Microsoft C++.

In order to run from an infected message, the worm exploits a security breach. The worm then installs itself to the system, and runs a spreading routine and payload.

The worm contains the following "copyright" text string:

Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

Installing

While installing, the worm copies itself:

to the Windows directory with the MMC.EXE name

to the Windows system directory with RICHED20.DLL (and overwrites original Windows RICHED20.DLL file) and with the LOAD.EXE name.

The last one is then registered in the auto-run section in a SYSTEM.INI file:

[boot] shell=explorer.exe load.exe -dontrunold

The worm also copies itself to a Temporary directory with random MEP*.TMP and MA*.TMP.EXE names, for example:

mep01A2.TMP
mep1A0.TMP.exe
mepE002.TMP.exe
mepE003.TMP.exe
mepE004.TMP

EXE files have Hidden and System attributes, as well as a LOAD.EXE file (see above).

The worm then runs its spreading and payload routines. Depending on the Windows version, the worm affects the EXLORER.EXE process, and may run its routines as an EXPLORER' background process (thread).

Spreading via E-mail

In order to send infected messages, the worm connects to a host machine by using SMTP protocol, and sends its copies to victim addresses.

In order to obtain victim e-mail addresses, the worm uses two ways:

1. scans *.HTM and *.HTML files and looks for e-mail-like strings

2. by using MAPI, connects to MS Exchange e-mail boxes and obtains e-mail addresses from there.

The infected messages are of HTML format and contain:

Subject: empty or random
Body: empty
Attach: README.EXE
Subjects are chosen from the name of a randomly selected file from a folder:

HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal

usually this is "My Documents" or a randomly selected file on the C: drive.

In order to spread from infected messages, the worm uses an "IFRAME" trick; the vulnerability described at:

Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Download patch:

http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

What causes the vulnerability?

If an HTML mail contains an executable attachment, whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue.

What does the patch do?

The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This has the effect of preventing e-mails from being able to automatically launch executable attachments.

Spreading via the local network

The worm scans local and shared (mapped) remote drives in three different manners, and infects all accessible directories in there.

While infecting, the worm uses two different ways:

1. It creates .EML (95% of the time) or .NWS (5%) files with randomly selected names. As a result, these EML and NWS files are everywhere on an infected machine (and in the local network), and there may be thousands of them. These files contain the worm's copy in e-mail form.

The e-mail form is an HTML e-mail message with the worm's copy in a MIME envelope, and with an IFRAME trick as described above. Upon being opened, this message immediately infects a vulnerable machine.

2. The worm looks for filename+extension combinations:

*DEFAULT* , *INDEX* , *MAIN* , *README* + .HTML, .HTM, .ASP

(*NAME* means that may be a sub-string in the file name)

In case such file is found, the worm copies itself in e-mail form to there with the README.EML name, and appends to a victim's HTM/ASP file a JavaScript program that simply opens the README.EML file when the HTML/ASP file is being opened, activating the worm as a result.

As a result, the worm infects Web pages, and may spread to machines that visit these Web sites.

Spreading as an IIS attack

To upload its file to a victim's machine, the worm uses a "tftp" command, and activates a temporary TFTP server on an infected (current) machine to process the "get data" command from the victim's (remote) machine in exactly the same way as the {"BlueCode":IISWorm_BlueCode} IIS worm.

The name of file that is uploaded to a victim's machine is ADMIN.DLL.

Payloads

The payload routine adds "Guest" user to the Administrator User Group (as a result, a "Guest" user has full access to an infected machine).

The worm also opens all local drives for sharing.

There are several variants of the "Nimda" worm.

All of them are very closed to the original, and most of them are just a "patched" version of original worm - the text strings in worm body are replaced with other strings).

Nimda.b

This is the original "Nimda" worm, however compressed by a PCShrink Win32 PE EXE files compressor. The strings:

README.EXE , README.EML

are replaced with:

PUTA!!.SCR , PUTA!!.EML

Nimda.c

This is exactly the original "Nimda" worm although compressed by a UPX compressor.

Nimda.d

This variant of the worm was mailed to the Internet at the end of October 2001. It was spread in compressed form (PECompact compressor), and this form is 27K in size.

The only difference from original worm is the "copyright" text strings that are patched in this version with the following text:

HoloCaust Virus.! V.5.2 by Stephan Fernandez.Spain

Nimda.e

This is a recompiled "Nimda" variant, and there are several minor routines either slightly fixed and/or optimized. This variant was found in the wild at the end of October 2001.

The visible differences from the original worm version are:

The attached file name:
SAMPLE.EXE (instead of README.EXE)

The DLL files are:
HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL)

The "copyright" text is replaced with:
Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.