How ISA Server Can Be Configured to Help Prevent the Nimda Worm

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : October 8, 2001

By Zachary Gutt

Technical Product Manager

Microsoft Corporation

Microsoft® Internet Security and Acceleration (ISA) Server 2000 can be used help prevent the spread of the Nimda Worm. However, the first course of action should be to protect the Internet Information Services (IIS) servers in the environment. It is strongly recommended that the IIS Lockdown and URLScan tools (see "Patching and Protecting Your Systems") be downloaded and installed. This document discusses how the Nimda Worm spreads, where links to more details about patching your servers, what ISA Server can do to help prevent Nimda, and where to go for more information.

Disclaimer

There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

How the Nimda Worm Spreads

The W32.Nimda.A@MM (Nimda) worm uses four methods to infect computers. Following are short descriptions of each of the infection vectors. Please refer to https://www.microsoft.com/technet/security/alerts/info/nimda.mspx for more complete information.

I. Email

Nimda can spread via email, taking advantages in system vulnerabilities, often infecting the mail recipient immediately. The worm payload may be delivered as an email attachment.

II. Infecting remote Web Servers

If Nimda finds a remote Web server that (a) is infected with the Code Red II worm, or (b) is susceptible to a known security vulnerability (for which a patch has long been available), it can get the remote Web server to download an infected ADMIN.DLL via TFTP (Trivial File Transfer Protocol) on port 69.

III. Infecting web pages on affected Web Servers

On an infected Web server all HTM, HTML, and ASP pages can be compromised. A snippet of Javascript code is added to these pages that executes a payload file (README.EML) that Nimda installs on the server.

When a remote Internet Explorer (IE) browser opens a compromised HTM, HTML, or ASP file, an un-patched browser will automatically execute the Javascript, downloading and executing the payload file, thus infecting the browsing computer.

IV. File sharing

Nimda attempts to find computers on the network with shared folders and replace their RICHED20.DLL (used by Wordpad, Notepad, Microsoft Word) with an infected version. Nimda may also replace or prepend itself to all EXE, EML, and DOC files on remote shares that it can access. When a user opens a compromised file in one of the aforementioned programs, the infected RICHED20.DLL is executed, infecting the computer.

Patching and Protecting Your Systems

The above is only a short description of how the Nimda worm spreads and infects. As mentioned above, the first course of action should be to protect your Internet Information Services (IIS) servers. It is strongly recommended that the IIS Lockdown and URLScan tools be downloaded and installed.

For complete details on the Nimda worm, visit Microsoft TechNet and Microsoft Security:

Microsoft TechNet

https://www.microsoft.com/technet/archive/security/news/nimdaie6.mspx

https://www.microsoft.com/security/

For IIS Lockdown & URLScan:

https://www.microsoft.com/technet/security/tools/locktool.mspx

https://www.microsoft.com/technet/security/tools/urlscan.mspx

What ISA Server Can Do To Help Stop Nimda

While ISA Server cannot stop the Nimda Worm completely, the following steps can be taken in order to help prevent Nimda from further infiltrating your network.

Action #1	Use ISA to protect against the Code Red worm. This will prevent further backdoors from being installed on your systems.
ISA Server Solution	Follow the guidelines explained in the Microsoft TechNet article, " How ISA Server Can Be Configured to Stop The Code Red Worm."
Defends Against	Nimda infection via a Code Red II backdoor (II above).

Action #2	Use the ISA Server Message Screener to drop all emails with README.EXE as an attachment, or to drop email attachments with the MIME type audio/x-wav.
ISA Server Solution	If you have the SMTP filter running, create a new #1 rule that deletes all messages with the attachment name "README.EXE" (Application Filters, SMTP Filter properties, Attachments tab).
Defends Against	Nimda infection via email (I above).

Action #3	Prevent all TFTP (Trivial FTP, port 69) traffic. This will prevent clean IIS systems from downloading files from servers infected with the Nimda.
ISA Server Solution	By default, TFTP traffic is not allowed by ISA Server. If you have opened this port for any reason, it is recommended that it be closed by creating a Protocol Rule that always denies TFTP for any request.
Defends Against	Nimda infecting remote Web servers (II above).

Action #4	Block all NetBios traffic from crossing ISA (ports 137, 138, 139).
ISA Server Solution	By default, NetBios traffic is not allowed by ISA Server. If you have opened these ports for any reason, it is recommended that they be closed them by creating a Protocol Rule that always denies traffic on all NetBios ports (NetBios Datagram, NetBios Name Service, NetBios Session) for any request.
Defends Against	Note This is a preventative measure only! Because ISA Server is a firewall placed on the edge of a network, it can do nothing to prevent the spread of Nimda via file sharing on the internal network (IV above).

Summary

The first course of action taken against the Nimda worm should be protecting and patching all IIS servers. In addition, ISA Server can also help prevent the Nimda worm. Taking the above steps can help mitigate current circumstances, and could help to prevent machines on internal networks from further infection.

For More Information

The following lists locations you may visit for more information about the subjects mentioned in this article.

Nimda information on Microsoft TechNet

https://www.microsoft.com/technet/security/alerts/info/nimda.mspx