How to Set a Filter to Capture Only Nimda Frames in Network Monitor (317605)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q317605

SUMMARY

This article describes how to set a capture filter to capture only the first Nimda GET request frame in Network Monitor.

MORE INFORMATION

In some Microsoft-based networks, a remnant of Nimda computers may still be operating. The CERT Advisory CA-2001-26 Nimda Worm document states that the Nimda worm sends the following 16 HTTP GET requests: 
     GET /scripts/root.exe?/c+dir
     GET /MSADC/root.exe?/c+dir
     GET /c/winnt/system32/cmd.exe?/c+dir
     GET /d/winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
     GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
     GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
     GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1x1c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
This article describes how to set up a capture filter with the criteria of the first GET request:

GET /scripts/root.exe?/c+dir

To set up a capture filter with the criteria of the first GET request:
  1. On the Capture menu, click Filter, and then double-click Pattern Matches.
  2. In the Pattern box, click the ASCII option, and then type root.exe. Note that root.exe is case-sensitive, and is 726F6F742E657865 after it is converted to hexadecimal.
  3. In the Offset box, type 43, and then click From Start of Frame.
  4. Click OK, and then click OK.
  5. Start the capture.
For more information about how to use Network Monitor, see the Network Monitor Help file in the "Systems Management Server Administrator's Guide."

Example of the Complete Frame

1 1044.932539 00D0062C24A0 LOCAL HTTP GET Request (from client using port 1636) NimdaHost WebServer IP 
Frame: Base frame properties
    Frame: Time of capture = 2/1/2002 13:8:0.266
    Frame: Time delta from previous physical frame: 0 microseconds
    Frame: Frame number: 1
    Frame: Total frame length: 126 bytes
    Frame: Capture frame length: 126 bytes
    Frame: Frame data: Number of data bytes remaining = 126 (0x007E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
    ETHERNET: Destination address : 00C04F27CE94
    ETHERNET: .......0 = Individual address
    ETHERNET: ......0. = Universally administered address
    ETHERNET: Source address : 00D0062C24A0
    ETHERNET: .......0 = No routing information present
    ETHERNET: ......0. = Universally administered address
    ETHERNET: Frame Length : 126 (0x007E)
    ETHERNET: Ethernet Type : 0x0800 (IP:  DOD Internet Protocol)
    ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070)
IP: ID = 0xFF7E; Proto = TCP; Len: 112
    IP: Version = 4 (0x4)
    IP: Header Length = 20 (0x14)
    IP: Precedence = Routine
    IP: Type of Service = Normal Service
    IP: Total Length = 112 (0x70)
    IP: Identification = 65406 (0xFF7E)
    IP: Flags Summary = 2 (0x2)
        IP: .......0 = Last fragment in datagram
        IP: ......1. = Cannot fragment datagram
    IP: Fragment Offset = 0 (0x0) bytes
    IP: Time to Live = 125 (0x7D)
    IP: Protocol = TCP - Transmission Control
    IP: Checksum = 0xB33E
    IP: Source Address = 10.57.133.198
    IP: Destination Address = 10.57.138.145
    IP: Data: Number of data bytes remaining = 92 (0x005C)
TCP: .AP..., len:   72, seq:1447167973-1447168045, ack:  48848871, win:17520, src: 1636  dst:   80 
    TCP: Source Port = 0x0664
    TCP: Destination Port = Hypertext Transfer Protocol
    TCP: Sequence Number = 1447167973 (0x564207E5)
    TCP: Acknowledgement Number = 48848871 (0x2E95FE7)
    TCP: Data Offset = 20 (0x14)
    TCP: Reserved = 0 (0x0000)
    TCP: Flags = 0x18 : .AP...
        TCP: ..0..... = No urgent data
        TCP: ...1.... = Acknowledgement field significant
        TCP: ....1... = Push function
        TCP: .....0.. = No Reset
        TCP: ......0. = No Synchronize
        TCP: .......0 = No Fin
    TCP: Window = 17520 (0x4470)
    TCP: Checksum = 0x7BCA
    TCP: Urgent Pointer = 0 (0x0)
    TCP: Data: Number of data bytes remaining = 72 (0x0048)
HTTP: GET Request (from client using port 1636)
    HTTP: Request Method = GET
    HTTP: Uniform Resource Identifier = /scripts/root.exe?/c+dir
    HTTP: Protocol Version = HTTP/1.0
    HTTP: Host = www
    HTTP: Undocumented Header = Connection: close
        HTTP: Undocumented Header Fieldname = Connection
        HTTP: Undocumented Header Value = close
Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbenv kbhowto kbnetwork KB317605
©2003 Microsoft Corporation. All rights reserved.