504897 : Guest account is possible sign of worm (Nimda)

Risk 5 : Miscellaneous

There is evidence that the system has been penetrated by an Internet worm. Files or system information may have been transmitted to remote parties, unauthorized file modifications may have taken place, and backdoors allowing unauthorized access may be present. Furthermore, it is likely that the system is being used as a potential launching point for further propogation of the worm across the network.

A worm is a self-replicating program designed to spread across a network without requiring any outside actions to take place. The main difference between a worm and a virus is that a virus relies on human actions, such as opening e-mail attachments or sharing files, to copy itself from one computer to another, whereas a worm is able to do so independently, allowing it to spread much faster.

Nimda and Nimda.E worm

The Nimda worm, also known as the Concept Virus, is capable of spreading very fast because it uses four separate exploits to propogate:

IIS vulnerabilities, including the Directory Traversal vulnerability and backdoors left behind by the Code Red and sadmin/IIS worms. Upon finding a vulnerable server, the worm copies a file called Admin.dll to the server using the TFTP protocol. Automatic Execution of Embedded MIME types, which causes an attachment called readme.exe to automatically run when an e-mail message is opened. The attachment is sent in an e-mail message which sometimes comes from a spoofed address. Infection of web pages with malicious JavaScript which causes some browsers to automatically download and execute a file called readme.eml, due to the same vulnerability as in the item above. The worm appends the malicious JavaScript code to all files ending in .html, .htm, and .asp. Copying itself using Open File Shares. The worm copies a file called readme.eml to every writable directory, including shared network drives where it can be run on other systems.

In addition to the actions mentioned above which the worm uses to propogate, it also does the following:

replaces many executable files on the system with Trojan Horse versions which run the worm any time an infected file is run positions itself in such a way that it is executed whenever a document is opened creates a backdoor on the system by enabling the guest account and by sharing the C drive so that the entire drive is readable and writable remotely

The Nimda.E worm is a variation of the Nimda worm. It has all of the same characteristics as the Nimda worm, but the filenames it uses have been changed to avoid detection by intrusion detection tools and scanners.

The Nimda worm was reported in http://www.cert.org/advisories/CA-2001-26.html CERT Advisory 2001-26 and http://www.doecirc.energy.gov/bulletins/l-144.shtml CIRC Bulletin L-144.

More information on Nimda.E is available from http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html Symantec.

For general information about worms and how they differ from viruses, see the http://www.symantec.com/avcenter/reference/worm.vs.virus.pdf Symantec AntiVirus Research Center.


The paragraphs below explain how to remove a worm from an infected system. However, removal of the worm does not solve the problem at its roots. The presence of the worm is evidence that a critical vulnerability exists on the host. The system should be taken offline until it is certain that the vulnerable services are upgraded to the latest, patched versions.

Since the Nimda worm makes extensive changes to the system, an entire infected system should be deleted and reinstalled. Be sure to install all necessary patches before re-connecting the machine to the network. See Microsoft Security Bulletins http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx 01-020, http://www.microsoft.com/technet/security/bulletin/ms01-027.mspx 01-027, and http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx 01-044.

CVSS Information:
Low Attack Complexity, Complete Confidentiality Impact, Complete Integrity Impact, Complete Availability Impact
Saint Coorporation : 2010-06-11
New Search
Risk Factor
Start Date
End Date