Nimda Worm Infected HTML File Detection

critical Nessus Plugin ID 10767

Synopsis

The remote host may have been compromised.

Description

The remote web server appears to have been compromised by the Nimda mass mailing worm. It uses various known IIS vulnerabilities to compromise the server.

Visitors to such a compromised web server may be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment.

In addition, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.

Note that this plugin only looks for the presence of the string injected by the Nimda worm on the remote web server and may result in false positives.

Solution

Take this server offline immediately, rebuild it and apply ALL vendor patches and security updates before reconnecting it to the Internet, as well as security settings discussed in the Additional Information section of MS01-044.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044

Plugin Details

Severity: Critical

ID: 10767

File Name: nimda.nasl

Version: 1.33

Type: remote

Family: CGI abuses

Published: 9/19/2001

Updated: 1/19/2021

Supported Sensors: Nessus

Reference Information

CERT-CC: CA-2001-26

MSFT: MS01-044

MSKB: 294774, 297860, 298340, 301625, 304867, 305359