First, Nimda hacking worm profile
The surplus of the global Codered red code worms have not yet sailed, and the network management is still in the future, and a new virus that is extremely destroyed has begun to spread on the Internet like wildfire. This name is Nimda. "Nima" virus was found on the 18th at 9:08 in the 18th, and it spreads the world within half an hour. The scope of the spread and the degree of damage will greatly exceed the "red code" virus that is extremely ravaged in the previous time. According to the report of Guan Jinchen anti-virus monitoring network, there are viral infections in my country. Because this virus can attack Win32 systems through a variety of ways, a method will not try another way to attack until success, The communication caused by the network is unprecedented. There are many reports that have been attacked by this virus, causing network paralysis, and its harmful is self-evident.
So, what is the means of such a virus cause so huge destruction? This worm called Nimda "Nima" is very different from the past worms, which can spread three ways: Email accessories, HTTP, hard disk sharing, and can infect all 32-bit Windows operating systems: Windows 98 / ME, NT, 2000, XP.
This new virus also uses the security hidden dangers existing in the Microsoft Internet Server software running on Windows NT or Windows 2000, which is the same as "red code" virus, but it can also infect clients. That is, the user may be infected when browsing the pearned webpage. This virus also spreads through the Ooutlook, Outlook Express mail client, infects the user's system in the case where the user is unknown, this is very similar to the user who is unknown in the user. This is similar to the popular mail worm happytime. . In addition, it also creates a network share for system sharing and creates network sharing for each drive. On the Win9X / ME system, the share is set to completely shared without a password. On the Winnt / 2K system, guest users are given administrator privileges and get shared permissions. In this regard in the network, it is similar to the Funlove virus.
From the above analysis, it can be seen that this new virus sets the director of each home, which uses the system's vulnerability, so the hacker worm is very harmful, and it comes, in fact, this hacking worm has already It is far from the category of anti-viruses, and from the case of recent viruses, this virus represents the development trend of future viruses. It is difficult to solve NIMDA and future similar viruses through a single anti-virus product, and the NIMDA needs a comprehensive security solution.
Second, the overall solution is the urgent need to solve the damage caused by Nimda first, and we need to pay more attention to network security than ever. By building a valid security defense system, we have to compete for it. Solve the urgent need of the eye - Nimda's inspection plan can be manually poisoned in accordance with the following steps:
1. From Microsoft Website http://www.microsoft.com/technet/security/bulletin/ms00-078.asp and http://www.microsoft.com/technet/security/bulletin/ms01-020.asp Download Patch and execute, then turn off all the sharing of this unit.
2, press Ctrl-alt-del, end "xxx.tmp.exe" and "load.exe" process.
3. Delete files in the Temp directory.
4. Replace the same name Riched20.dll file (57344 bytes) with clean Riched20.dll (about 100K) file (57344 bytes). 5. Delete the load.exe file (57344 bytes) in the system directory, the MMC.exe file under the Windows root directory, in C: /, D: /, E: / three logical disk roots if there is admin .Dll file, delete these files, find files named Readme.eml, delete it.
6, system.ini file [load] If there is a line "shell = expender.exe loading.exe -dontrunold", change to "shell = expel = expensiver.exe"
7. Delete HKLM / Software / Microsoft / Windows / CurrentVersion / Network / LANMAN / and HKLM / Software / Microsoft / Windows / CurrentVersion / Explorer / MapMail / key value.
8. If you are WinNT or Win2000, open Control Panel | User and Password, delete the guest account in the Administrator group. Kill's latest virus signature 28.06 has been able to kill this virus.
It can be seen from the large-scale outbreak of recent viruses, and their raging is mainly using the system's vulnerability, such as this NIMDA, using Microsoft Web Folder Transversal vulnerability (W32 / CodeBlue virus also uses this vulnerability) and Microsoft IncorRect MIME Header Vulnerability. It also uses the back door created by W32 / CodeRed.c worm. If the security of the server is high enough, there is no available security vulnerability and hidden dangers, NIMDAs and future NIMDAs do not have the possibility of attack or propagation. So the way we root NIMDA and hacker worms is to improve the security of the server system itself.
