Detections
Analytics
Nimda Worm Infected HTML File Detection
critical Nessus Plugin ID 10767
Synopsis
The remote host may have been compromised.Description
The remote web server appears to have been compromised by the Nimda mass mailing worm. It uses various known IIS vulnerabilities to compromise the server.Visitors to such a compromised web server may be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment.
In addition, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.
Note that this plugin only looks for the presence of the string injected by the Nimda worm on the remote web server and may result in false positives.
Solution
Take this server offline immediately, rebuild it and apply ALL vendor patches and security updates before reconnecting it to the Internet, as well as security settings discussed in the Additional Information section of MS01-044.See Also
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044
Plugin Details
Severity: Critical
ID: 10767
File Name: nimda.nasl
Version: 1.33
Type: remote
Family: CGI abuses
Published: 9/19/2001
Updated: 1/19/2021
Supported Sensors: Nessus
Risk Information
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C