virus warning
The Nimda virus’ main effect is the slowing down of the computer.

What is the Nimda Virus?: Complete Explanation

The Nimda virus is malware that first surfaced in September 2001, causing computer and network slowdowns as it tore through the digital world. It targets computers running early versions of Windows, including 95, 98, NT, XP, and 2000. Nimda caused hundreds of millions of dollars in damage costs before cybersecurity safety experts built a patch to get rid of the weaknesses it exploited.

Nimda’s primary goal is to spread itself through any means possible. It doesn’t delete files or cause other harmful effects besides the chaos resulting from its slowdown of CPUs and network traffic.

It’s particularly effective because it combines techniques from the top three kinds of malware that hackers use to cripple computers: worms, viruses, and Trojan horses.

  • A computer worm is a small program that can spread itself across a network without action from a human user. Nimda’s worm-like capabilities enable it to run malicious code from an email attachment’s preview pane without the user opening the attachment.
  • A computer virus inserts duplicates of itself into other files and apps. Nimda has a file-infecting ability that puts copies of its code into DLLs and executable files.
  • A digital Trojan horse is an app that appears to perform a useful task while quietly executing malicious code. Nimda was the first malware to infect servers and turn their hosted websites into Trojan horses that made visitors’ browsers download a script containing the virus.

A few years after its discovery, computer safety researchers from F-Secure found a hidden text string in the Nimda code that read “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China.” Despite this suspiciously blatant implication, the true origin of the multi-vector worm is still uncertain.

The text also implies that the hacker who created Nimda intended it to be called “Concept Virus.” When researchers realized that name was already taken by another virus, they dubbed it “Nimda,” which is the reverse spelling of “admin,” a filename commonly used by the virus.

How Does the Nimda Virus Spread?

Nimda uses four main techniques to propagate itself:

  • Sharing infected files over open networks
  • Sending infected email attachments
  • Exploiting early versions of IIS, Microsoft Windows’ web server, to upload infected scripts to exposed web pages
  • Downloading infected scripts to the computers of users who browse infected web pages

The method this multi-vector worm uses to infect files is slightly different than most other viruses. Where the average virus takes over a file by placing a copy of its code inside the file, Nimda removes the original file, makes a copy of itself under the original filename, and then embeds the contents of the original file inside this new copy as a Windows resource. When the file is used, the computer worm loads its malicious code first and then extracts and runs the original program.

This means Nimda’s file-infecting code often reinfects contaminated files multiple times. There are cases where an infected Nimda file contains an embedded copy of another infected Nimda file, which contains another embedded Nimda file, which finally contains the original program. Antivirus researchers have logged cases of up to 250 reinfections in a single file.

Once Nimda infects a computer, it starts looking for ways to thoroughly propagate through that computer and any others on open local networks. It creates hidden files containing its code with the extension EML or NWS in as many folders as it can, usually naming these files “README,” “ADMIN,” “DESKTOP” or “SAMPLE.”

When it finds folders containing documents, it creates an infected file named “RICHED20.DLL” in the folder. This is because Windows tends to look for a local DLL with that name when it loads complex documents. When a user opens any document in the same folder as the infected DLL, Nimda has more opportunities to spread.

Next, Nimda looks for email addresses in the computer’s address book, inbox, and any HTML documents in its Temporary Internet Files folder. It collects as many as it can find and sends them all blank emails with empty or random subject lines containing infected attachments usually named “README.EXE.” When a recipient opens or even previews the attachment, its malicious code can start spreading the virus through the new machine.

Nimda also begins probing a range of IP addresses selected at random, looking for servers running exposed versions of Microsoft’s IIS. When it finds a way in, it starts placing embedded scripts with malicious code on as many web pages on the server as it can.

If a user with an exposed browser visits one of these infected pages, the page’s Nimda script will automatically download a README.EML file containing the computer worm’s malicious code. The file will then surreptitiously open in a minimized window, automatically executing its Nimda script, and the propagation process will begin again.

What Are the Effects and Damage Costs of the Nimda Virus?

The Nimda malware has subtly different effects depending on where the infection begins and how it arrives. Its destructive payload is limited to propagation tasks, which include file-infecting techniques and web content modification.

If an infected file slips through your network’s defenses, you can end up with hundreds of machines containing thousands of infected or damaged files, making the multi-vector worm almost impossible to remove. If it propagates enough across a web server, it can indirectly cause a denial of service events simply due to the volume of traffic its processes trigger.

In its initial boom, the Nimda virus propagated on nearly 160,000 systems. Multiple large companies had to disconnect their networks from the internet to avoid infection. Nimda found its way into the servers of some of the largest companies of the time, including Dell and Microsoft websites.

A few weeks after the first wave, another variant called “Nimda.e” infiltrated the computer systems of the federal court in Miami, Florida. Over Halloween week, court employees had to shut down their networks and go back to using paper files. The electronic files were eventually recovered after the local government hired an expert cybersecurity team to go through their systems and clean them out one by one. The same variant also got into the New York Times’ computer systems, forcing them to suspend operations for a couple of days.

Before antivirus companies came up with a patch, Nimda’s total damage cost was estimated to be around $600 million. For unpatched systems, the best way to get rid of the computer worm involved reformatting all contaminated hard drives and reinstalling all system software from scratch using safely patched versions.

How To Protect Your Computer From the Nimda Virus

The most important thing you can do to prevent infection by Nimda is to make sure your system software and Internet browser have all the latest security patches installed. For your safety, never open executable email attachments, especially from senders you don’t recognize, and treat even non-executable email attachments with suspicion.

If you think your computer or network has been infected, do the following:

  • Disconnect your computer from the Internet and your local network
  • Restore your system software from your most recent backup point or reformat your hard drives and reinstall everything using patched software versions
  • Scan your restored system with the latest antivirus software
  • If the scan comes up clean, you can reconnect to the Internet and your local network

Once you’ve thoroughly cleaned out your system, make sure to install antivirus protection from your favorite reputable provider.

The Best Antivirus Software for a Nimda Virus

The first company that came up with a tool to remove Nimda was a cybersecurity software provider called Symantec, which is now known as NortonLifeLock. Their original Nimda patch was called “FixNimda.com.” Their current antivirus products include the Norton Security Suite, which is dedicated to preventing and removing malware.

Sale
Norton AntiVirus Plus, 2023 Ready, Antivirus software for 1 Device with Auto-Renewal - Includes Password Manager, Smart Firewall and PC Cloud Backup [Download]
  • ONGOING PROTECTION Download instantly & install protection for your PC or Mac in minutes!
  • REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
  • PASSWORD MANAGER Easily create, store, and manage your passwords, credit card information and other credentials online – safely and securely
  • SMART FIREWALL Monitors communications between your computer and other computers and blocks unauthorized traffic, helping protect your personal files and financial information
  • 2GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to hard drive failures, stolen devices and even ransomware***
Sale
Norton 360 Deluxe, 2023 Ready, Antivirus software for 3 Devices with Auto Renewal - Includes VPN, PC Cloud Backup & Dark Web Monitoring [Download]
  • ONGOING PROTECTION Download instantly & install protection for up to 3 PCs, Macs, iOS or Android devices in minutes!
  • REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
  • SECURE VPN Browse anonymously and securely with a no-log VPN while using public Wi-Fi Add bank-grade encryption to help keep your information like passwords and bank details secure and private
  • DARK WEB MONITORING will monitor and notify you if we find your personal information on the Dark Web**
  • 25GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to data loss due to hard drive failures, stolen devices and even ransomware***
Sale
Norton 360 Premium, 2023 Ready, Antivirus software for 10 Devices with Auto Renewal - Includes VPN, PC Cloud Backup & Dark Web Monitoring [Download]
  • ONGOING PROTECTION Download instantly & install protection for up to 10 PCs, Macs, iOS or Android devices in minutes!
  • REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
  • SECURE VPN Browse anonymously and securely with a no-log VPN while using public Wi-Fi Add bank-grade encryption to help keep your information like passwords and bank details secure and private
  • DARK WEB MONITORING will monitor and notify you if we find your personal information on the Dark Web**
  • 75GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to data loss due to hard drive failures, stolen devices and even ransomware***

Since Nimda contains features resembling worms, viruses, and Trojan horses, a simple antivirus program may not be enough to keep it at bay. The security technologies specifically created to stop intrusions like Nimda include Host-Based Intrusion Detection/Prevention Systems (HIDS/HIPS) and Network-Based Intrusion Detection/Prevention Systems (NIDS/NIPS).

HIDS and HIPS keep an eye on local log files using signatures of known attack symptoms to identify suspicious activity and validate incoming network traffic. NIDS and NIPS oversee network traffic flow looking for symptoms of an active malware attack.

Most cybersecurity software today comes packaged as a comprehensive endpoint protection security suite rather than just a simple antivirus script. Antivirus software bundles usually include HIDS, HIPS, NIDS, and NIPS as well as other kinds of protection from viruses, worms, Trojan horses, malware, ransomware, etc.

If you run a server, you can also get a more specialized Intrusion Detection/Prevention System (IDS/IPS) like SolarWinds, OSSEC, or Fail2Ban. These will actively monitor your network log files and traffic for suspicious activity caused by Nimda and other intruders and alert you when something odd is going on or update your firewall rules to get rid of the threat.

Are you interested in learning about other computer viruses? Check out our complete guide!

Last update on 2022-11-13 / Affiliate links / Images from Amazon Product Advertising API

The Nimda Virus: How it Works and How To Protect Yourself FAQs (Frequently Asked Questions) 

Is Nimda a worm or virus?

Nimda has features of a computer worm, as it’s able to automatically spread itself over networks without any user action. It also has features of a virus; it can infect programs with copies of itself.

How does the Nimda virus work?

Nimda’s main objective is to try to spread itself as much as possible, which it does by sending infected email attachments, sharing infected system files through open networks, and infecting websites via vulnerabilities in previous versions of Microsoft’s IIS server that have now been patched.

How can you protect yourself from a Nimda virus?

Most of the exploits Nimda had success with have been fixed, so make sure your operating system and browser are running the latest updates and that you have an antivirus security suite installed.

What is an example of a Nimda virus?

There are a number of variants of the Nimda virus, each with subtle changes to its malicious code and symptoms. An example of one of these is the Nimda.e variant, which sends infected email attachments named “SAMPLE.EXE” rather than “README.EXE.”

Who made the Nimda virus?

Nimda’s first variant includes a text line attributing it to “R.P.China.” The Nimda.d variant changed this line to read “Stephan Fernandez.Spain.” The true identity of the hacker who created it is still uncertain.

Where does a Nimda virus come from?

If a Nimda virus has infected your computer, it may have come from an infected email attachment, an infected website you browsed, or an infected computer on your shared network.

What damage does the Nimda virus do?

Nimda’s main effects involve slowing down the computers it infects as the multi-vector worm uses the computers’ resources to make as many copies of itself as it can. This manic propagation makes Nimda almost impossible to remove. The damage cost of reformatting and reinstalling software on all the systems it has infected has been estimated at around $600 million.

Why is it named the Nimda Virus?

A copyright text string in the Nimda Virus named it “Concept Virus.” There was already a virus by that name, so cybersecurity researchers began calling it “Nimda” after the reverse spelling of the files named “admin” that it tends to create on machines it infects.

About the Author

More from History-Computer

  • Available here: https://www.giac.org/paper/gcih/273/challenging-response-nimda/102847
  • Available here: https://www.computerworld.com/article/2583305/users--nimda-a-tough-worm-to-fight.html
  • Available here: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7945ab4a-c178-49ca-ac83-a2b0d383f570&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
  • Available here: https://nakedsecurity.sophos.com/2011/09/16/memories-of-the-nimda-virus/
  • Available here: https://gcn.com/cybersecurity/2001/11/nimda-worm-hits-court-computers/292858/
  • Available here: https://people.engr.ncsu.edu/efg/379/f01/lectures/wk08/lecture.html
  • Available here: https://www.cisco.com/web/FR/documents/pdfs/tdm/threat/snam_wp.pdf
  • Available here: https://threats.kaspersky.com/en/threat/Net-Worm.Win32.Nimda/