Nimda Anti-Virus Scanner & Remover

Computer Programming

In Sept of 2001 the nimda virus hit the internet in full force hitting our company very early in it's initial release. When I arrived in the morning to work I immediately noticed my workstation and many of the servers behaving eradically. Quickly I realized it was a virus and was duelly unimpressed and yet not suprised that the virus protection software on the servers had caught it. (I have had little faith in any virus software's ability to adequately protect against viruses.) I spent a few hours downloading every anti-virus utility out there. Not one would even detect the virus. No reports from the big anti-virus companies seemed to even exist yet. I was dealing with an as yet unknown virus.

This codeguru article is at:

http://www.codeguru.com/Cpp/misc/misc/article.php/c3741

MODULE 1: Nimda Virus Scanner & Cleaner

AntiNimda Scanner

Pardon the lack of special features in this program. I shotgun coded it overnight when the nimda virus went wild and the big-shot virus scanners didnt have any (clean enabled) virus definitions. I find it still works better than McAfee, F-prot & Norton AV at cleaning the nimda virus.

Download the 'anti-nimda.exe' executable

REMOVAL INSTRUCTIONS for Nimba Virus:

If you are using anti-nimda to clean an infected computer follow these instructions:

MODULE 2: Nimda Memory Scanner for Win 2000

Memory Scanner

The nimda memory scanner scans all active processes for traces of the nimda virus. This project is a good illustration of reading the memory of other processes. Also included is the enumeration of processes and modules contained within a process. Allowing a process access to the memory of another process is a security risk, for this reason you must have administrator priviledges on the target machine to run this memory scanner. I have only tested this scanner on Windows 2000. The API documentation shows that the 'EnumerateLoadedModules' function is only supported on NT5 or later (I.e. Win2000). This function is used to find out what modules (DLL's, etc) are loaded by the process and where they are located in its memory space. If anyone knows how to do this on a (windows) platform independant way I'd be interested in hearing from you.

Download the 'memoryscan.exe' executable.

MODULE 3: IIS Vulnerability Filter Patch

The second project in the workspace is an Internet Information Server (IIS) Filter that patches the invulnerability in IIS that lets the nimda virus run wild. For a reason I cant figure out the patch recommended by microsoft did not patch the invulnerability and our servers continued to get infected. This filter DLL once installed returns an 'Internal Server Error' to anyone attempting to take advantage of the vulnerability.

INSTALLING NIMDA FILTER:

Double-click on the nimda-filter.req file. This sets the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Filter DLLs'
to 'c:\winnt\system32\inetsrv\nimdafilter.dll'

Set this key value manually if you have installed your IIS server in a different directory than specified above.

Download the nimdafilter.dll DLL.

See a sample of the Anti-nimda Log File.

Download Nimda Source Code - 186KB


The NIMDA Virus

(recap) In Sept of 2001 the nimda virus hit the internet in full force hitting our company very early in it's initial release. When I arrived in the morning to work I immediately noticed my workstation and many of the servers behaving eradically. Quickly I realized it was a virus and was duelly unimpressed and yet not suprised that the virus protection software on the servers had caught it. (I have had little faith in any virus software's ability to adequately protect against viruses.) I spent a few hours downloading every anti-virus utility out there. Not one would even detect the virus. No reports from the big anti-virus companies seemed to even exist yet. I was dealing with an as yet unknown virus.

"Every service in our organization is down! I managed to stop the virus from spreading but moments after I start the web server it begins again. I am getting quite ticked off at this point. Time for Windows debugger, let's take this virus apart from the inside!"

How nimda works

  • Nimda includes a tftp server in it's code. A tftp server is like a simple ftp server without authentication (often used for diskless terminal boot services).
  • Nimda scans blocks of ip addresses (subnets) to locate computers connected to the internet
  • Uses a vulnerability in IIS servers on a target machine to run a tftp client (included with windows) in order to download a copy of itself onto the target computer. This is how nimda gets inside of corporate networks through a firewall.
  • Once on a network, nimda also scans the local subnet for computers and connects to any computer it can through windows networking in order to proliferate itself.
  • Nimda deposits random .eml files around your hard drive hoping you might click on one thinking it's an email yet it executes the nimda code.
  • Nimda also contains a mass emailer, it looks up your list of contacts and sends itself to each one.
  • Nimda disquises itself inside inside executables you already have on your computer. (It targets MS Word, Excel, Notepad, and others) More to the truth though, it in fact stores your executable program inside of itself, thus you call up MS Word, but in fact you executed the nimda virus, which in turn executed the MS Word code it stored inside itself so you don't suspect anything is wrong. However, an inspection of the file size of the MS Word executable would show a larger size after infection.

Clearly nimda tries very hard to spread itself, it is combination of many previous virus's out there. In contrast, most viruses use one or two of the above techniques. Having finished reverse compiling the nimda virus I set to work on writing code to reverse all the effects of nimda. Since the original executable code is stored inside of the infected executable it was simple enough to extract the original executable back out (the executable was stored as a RESOURCE inside the infected executable. In some cases, the nimda virus stored only itself as a luring name attempting to bait the user, these copies were simply deleted, as well as any .eml files that contained code to execute the virus. At about midnight, about 12 hours after I began, I had completed anti-nimda.

Anti-nimda worked great as it cleaned all the computers on our network. However, it still didn't stop it all from beginning again once I started the web server. It was IIS afterall that let nimda into our network in the first place. Nimda requests a malformed url, (a web page address that contains strange unrecognizable characters,) to fool the targeted web server into running a program already on the web server's hard drive. In this case tftp.exe or cmd.exe. To stop IIS from continuing to do this I wrote an IIS ISAPI Filter. ISAPI is a way to extend the functionality of the web server in a manner much like CGI (Common Gateway Inteface). All url requests pass through this ISAPI filter and the filter aborts any requests that contain any pattern nimda uses. This filter also logs any attempts made my nimda to get into the network through the IIS server.

My rant on the big anti-virus companies

I said before I had little faith in anti-virus software. In fact, I dont run any on any of my workstations or servers and I've been all over the internet yet I haven't had a virus on them since since nimda (now 4 years ago). In my case I find the popup's and false positives on any anti-virus software I've used to be more annoying than the viruses. Finally, none of these anti-virus programs can protect you against new viruses, even similar strains adequately. In the case of nimda and as far as I know, my program was the first to detect and remove the nimda virus. Some of the virus companies had posted a summary of info about the nimda virus that day, but none had released a detection tool until 2 days later, and not a cleaning tool for 4 days later (which didnt clean all of it, by the way.) Slowely over about a week and a half the anti-virus companies caught up. I don't know of any that patched the IIS server, I guess they just continued to clean up the virus as it came in. If I seem sore, I am. How should one person from scratch be able to outperform 5 of the leading anti-virus companies? There are many people I know personally that have the abilities I used to solve this problem. I also had a problem getting my anti-nimda into the public's hands, how where people in need going to find my little corner of the internet. The current model of writing and distributing anti-virus is insufficient when compared to the model of writing and distributing a virus!

Does this mean I recommend not running anti-virus software? No, not at all. It's better than nothing until such time that you feel you can recognize a virus in a new sheeps clothing. Keep running your anti-virus software.

How do I prevent myself from getting Viruses?

I disable javascript in Internet Explorer (IE) and typically use Opera to surf the web. I enable javascript only for sites I trust. IE has a rich javascript development environment, it's great for making beautiful interactive web sites and intranets, but in Microsoft's haste to dominate the browser market they often overlook security. Writing malicious code is easier in IE than any other browser I know. I am sure you have heard of this one: don't open any email with unknown attachments.

Why do people write viruses?

This is the most common question I get asked in regard to computer viruses. Although I can't exactly say what the mind of a virus writer is, I can only surmise they write viruses to satisfy thier ego in that they have made something that has made a big impact, albeit a destructive one. However, the majority of viruses are not made by advanced level programmers. Hardly. The source code for a large number of viruses can be found on the internet. (Source code is like design blueprints, in a human readable form, that instruct a compiler program on how to generate a machine runnable version of what the developer wants to accomplish. ALL computer software is generated from source code.) Most all viruses are derivitives from the source code of these viruses. Someone who wants to write a virus needs to know little about writing programs. "Script Kiddies" is a term used to describe someone who downloads a virus's source code off the internet, makes a slight change, and releases it as a new variant.

Future of Anti-virus

This experience was an educational one at least. It forced me to evaluate where anti-virus really doesn't stand up against the army of virus. Let's look at the key point where anti-virus fails over viruses:

  • Virus's are perpetual and autonomous. They will work continuously and automatically to proliferate themselves until such time as all copies are destroyed.
  • Anti-virus must be installed by the end user, executed by the end-user or optionally run automatically. Anti-virus is primarily a manual process!

How our immune system works

Our body has the same problem with malicious entities that our computers do. Why don't our computer systems work like our biological system? Our immune system is primarily autonomous, replicates itself, and recognizes new virus in a short time. In the case of nimda I saw a way in which the entire internet could have been sterilized of nimda automatically. If my anti-nimda mimic'd nimda in the way it replicated it could replicate itself back to any computer that contained the nimda infection, cleaned it, patch it, and jump to the next infection. Remember, the nimda filter outputed a log file of all nimda attacks. Logically, these computers attacking were vulnerable to at least one of the vulnerabilities that nimda took advance of. I also knew that nimda didnt patch any vulnerabilities it used. I used my log file to hack into computers that were attacking my servers and clean and patch them. I can only imagine the look on a system administrator's face as his network started returning to normal and nimda dissappeared.

I gave a speech on this very idea at Dalhousie University in Halifax, Nova Scotia. The idea that anti-virus needs to start mimicing virus's and proactively fight them back to thier source. (Could the source of the virus, the first infected computer, be determined with forensic like techniques?) If I modified my anti-nimda and isapi filter, combining them together, I could have written a replicating anti-nimda program that replicated to infected computers cleaning and patching them and then sitting idle until another computer infected with nimda attacked. (What legal ramifications would I be held accountable for even though my intensions are good?)

Finally, I feel strongly that the onus of running up-to-date anti-virus needs to be removed from the end user and placed on the ISP (Internet Service Provider). The fact is that most computer users now do not know how to properly protect themselves against viruses. An ISP has the advantage of trained computer personell to run and manage virus solutions for a large group of network users. Internet gateway devices are the bottlenecks that connect every network on the internet together. Every piece of internet traffic must pass through a gateway device to reach the internet and will pass through many of them before arriving at it's destination. Techniques need to be developed to effectively run anti-virus software on these gateway device so that viruses cannot pass through a gateway device and thus get trapped inside thier local network and fail to proliferate. Anyone in the know would argue that this creates a problem of delaying traffic while it is being scanned, slowing down the internet. Yes, and no. The traffic can be passed instantly, and scanned later. If a virus match was found a router can signal it's neighboring gateway device. The virus is squelched not instantly, but quickly out of the gate. Also, not every gateway device has to have a complete copy or knowledge of every virus, this knowledge could be spread out so that one gateway device is bound to catch it eventually. Once it does, it passes the signal and knowledge of that virus to it's neighbor. Each gateway device plays a small part of scanning for viruses but cooperativly they stop the flood.