Nimda detection requires a mix of network monitoring, registry scanning, and file system audits. The Nimda worm spreads rapidly through multiple vectors, including email, shared folders, and website vulnerabilities. Key Indicators of Compromise Look for these specific signs to confirm a Nimda infection:
Admin Shares: Look for unauthorized guest access enabled on network shares.
Exploited Files: Check for modified system files, specifically kernel32.dll and wsock32.dll.
Root Folder Changes: Scan for a hidden file named http.log in the root directory.
System Files: Check for the creation of riched20.dll in folders containing .exe files.
Web Directory Payload: Search for a file named load.exe or admin.dll in your web server directories. Steps to Detect Nimda
Follow these diagnostic steps to identify infected machines on your network:
Scan System Processes: Open your task manager or process monitor. Look for unfamiliar processes running with administrator privileges.
Audit Registry Keys: Open the Registry Editor. Check HKLM\Software\Microsoft\Windows\CurrentVersion\Run for suspicious strings.
Verify File Integrity: Run system file checks to ensure core Windows files match their original digital signatures.
Monitor Network Traffic: Watch for unusual volumes of outbound traffic on ports 80, 443, and 139. Step-by-Step Cleanup Procedure
If you discover an infection, isolate the machine from the network immediately and execute these cleanup steps:
Terminate Malicious Processes: Kill any active, unverified processes identified during your scan.
Delete Payload Files: Manually delete load.exe, riched20.dll (only copies created by the virus), and http.log.
Restore Modified DLLs: Replace corrupted versions of kernel32.dll and wsock32.dll using clean backups.
Clean the Registry: Remove any malicious string values added to your system startup registry keys.
Secure Web Servers: Clear out all unauthorized files from your web server scripts and root directories. Prevention Best Practices Prevent reinfection by locking down your infrastructure:
Patch Systems: Keep operating systems and web server software updated with the latest security patches.
Disable Admin Shares: Turn off default administrative shares if they are not strictly required for operations.
Restrict Permissions: Enforce the principle of least privilege for network shares and write permissions.
To help tailor this article or troubleshoot further, let me know:
What operating system or server software (e.g., IIS, Apache) are you analyzing?
Leave a Reply