How to Set a Filter to Capture Only Nimda Frames in Network Monitor

Article translations Article translations
Article ID: 317605 - View products that this article applies to.
This article was previously published under Q317605
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SUMMARY

This article describes how to set a capture filter to capture only the first Nimda GET request frame in Network Monitor.

MORE INFORMATION

In some Microsoft-based networks, a remnant of Nimda computers may still be operating. The CERT Advisory CA-2001-26 Nimda Worm document states that the Nimda worm sends the following 16 HTTP GET requests:
     GET /scripts/root.exe?/c+dir
     GET /MSADC/root.exe?/c+dir
     GET /c/winnt/system32/cmd.exe?/c+dir
     GET /d/winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
     GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
     GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
     GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1x1c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
     GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
				
This article describes how to set up a capture filter with the criteria of the first GET request:
GET /scripts/root.exe?/c+dir
To set up a capture filter with the criteria of the first GET request:
  1. On the Capture menu, click Filter, and then double-click Pattern Matches.
  2. In the Pattern box, click the ASCII option, and then type root.exe. Note that root.exe is case-sensitive, and is 726F6F742E657865 after it is converted to hexadecimal.
  3. In the Offset box, type 43, and then click From Start of Frame.
  4. Click OK, and then click OK.
  5. Start the capture.
For more information about how to use Network Monitor, see the Network Monitor Help file in the "Systems Management Server Administrator's Guide."

Example of the Complete Frame

1 1044.932539 00D0062C24A0 LOCAL HTTP GET Request (from client using port 1636) NimdaHost WebServer IP 
Frame: Base frame properties
    Frame: Time of capture = 2/1/2002 13:8:0.266
    Frame: Time delta from previous physical frame: 0 microseconds
    Frame: Frame number: 1
    Frame: Total frame length: 126 bytes
    Frame: Capture frame length: 126 bytes
    Frame: Frame data: Number of data bytes remaining = 126 (0x007E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
    ETHERNET: Destination address : 00C04F27CE94
    ETHERNET: .......0 = Individual address
    ETHERNET: ......0. = Universally administered address
    ETHERNET: Source address : 00D0062C24A0
    ETHERNET: .......0 = No routing information present
    ETHERNET: ......0. = Universally administered address
    ETHERNET: Frame Length : 126 (0x007E)
    ETHERNET: Ethernet Type : 0x0800 (IP:  DOD Internet Protocol)
    ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070)
IP: ID = 0xFF7E; Proto = TCP; Len: 112
    IP: Version = 4 (0x4)
    IP: Header Length = 20 (0x14)
    IP: Precedence = Routine
    IP: Type of Service = Normal Service
    IP: Total Length = 112 (0x70)
    IP: Identification = 65406 (0xFF7E)
    IP: Flags Summary = 2 (0x2)
        IP: .......0 = Last fragment in datagram
        IP: ......1. = Cannot fragment datagram
    IP: Fragment Offset = 0 (0x0) bytes
    IP: Time to Live = 125 (0x7D)
    IP: Protocol = TCP - Transmission Control
    IP: Checksum = 0xB33E
    IP: Source Address = 10.57.133.198
    IP: Destination Address = 10.57.138.145
    IP: Data: Number of data bytes remaining = 92 (0x005C)
TCP: .AP..., len:   72, seq:1447167973-1447168045, ack:  48848871, win:17520, src: 1636  dst:   80 
    TCP: Source Port = 0x0664
    TCP: Destination Port = Hypertext Transfer Protocol
    TCP: Sequence Number = 1447167973 (0x564207E5)
    TCP: Acknowledgement Number = 48848871 (0x2E95FE7)
    TCP: Data Offset = 20 (0x14)
    TCP: Reserved = 0 (0x0000)
    TCP: Flags = 0x18 : .AP...
        TCP: ..0..... = No urgent data
        TCP: ...1.... = Acknowledgement field significant
        TCP: ....1... = Push function
        TCP: .....0.. = No Reset
        TCP: ......0. = No Synchronize
        TCP: .......0 = No Fin
    TCP: Window = 17520 (0x4470)
    TCP: Checksum = 0x7BCA
    TCP: Urgent Pointer = 0 (0x0)
    TCP: Data: Number of data bytes remaining = 72 (0x0048)
HTTP: GET Request (from client using port 1636)
    HTTP: Request Method = GET
    HTTP: Uniform Resource Identifier = /scripts/root.exe?/c+dir
    HTTP: Protocol Version = HTTP/1.0
    HTTP: Host = www
    HTTP: Undocumented Header = Connection: close
        HTTP: Undocumented Header Fieldname = Connection
        HTTP: Undocumented Header Value = close
				

Properties

Article ID: 317605 - Last Review: October 24, 2013 - Revision: 3.2
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbnosurvey kbarchive kbenv kbhowto kbnetwork KB317605

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com