Abstract

The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:

* from client to client via email
* from client to client via open network shares
* from web server to client via browsing of compromised web sites
* from client to web server via active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability (VU #111677)
* from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms

Initial analysis indicates that the worm contains no destructive payload beyond modification of web content to facilitate its own propagation. We are also receiving reports of denial of service as a result of network scanning and email propagation.

Links

• https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1484423543

Citation

CA-2001-26, Nimda Worm, 2001, in CERT Division, 2017. 2001 CERT Advisories (No. DM17- 0052).