How to Set a Filter to Capture Only Nimda Frames in Network Monitor

This article was previously published under Q317605
This article has been archived. It is offered "as is" and will no longer be updated.
SUMMARY
This article describes how to set a capture filter to capture only the first Nimda GET request frame in Network Monitor.
MORE INFORMATION
In some Microsoft-based networks, a remnant of Nimda computers may still be operating. The CERT Advisory CA-2001-26 Nimda Worm document states that the Nimda worm sends the following 16 HTTP GET requests:
     GET /scripts/root.exe?/c+dir     GET /MSADC/root.exe?/c+dir     GET /c/winnt/system32/cmd.exe?/c+dir     GET /d/winnt/system32/cmd.exe?/c+dir     GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir     GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir     GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir     GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1x1c../winnt/system32/cmd.exe?/c+dir     GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir     GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir     GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir     GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir     GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir     GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir     GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir     GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir				
This article describes how to set up a capture filter with the criteria of the first GET request:
GET /scripts/root.exe?/c+dir
To set up a capture filter with the criteria of the first GET request:
  1. On the Capture menu, click Filter, and then double-click Pattern Matches.
  2. In the Pattern box, click the ASCII option, and then type root.exe. Note that root.exe is case-sensitive, and is 726F6F742E657865 after it is converted to hexadecimal.
  3. In the Offset box, type 43, and then click From Start of Frame.
  4. Click OK, and then click OK.
  5. Start the capture.
For more information about how to use Network Monitor, see the Network Monitor Help file in the "Systems Management Server Administrator's Guide."

Example of the Complete Frame

1 1044.932539 00D0062C24A0 LOCAL HTTP GET Request (from client using port 1636) NimdaHost WebServer IP Frame: Base frame properties    Frame: Time of capture = 2/1/2002 13:8:0.266    Frame: Time delta from previous physical frame: 0 microseconds    Frame: Frame number: 1    Frame: Total frame length: 126 bytes    Frame: Capture frame length: 126 bytes    Frame: Frame data: Number of data bytes remaining = 126 (0x007E)ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol    ETHERNET: Destination address : 00C04F27CE94    ETHERNET: .......0 = Individual address    ETHERNET: ......0. = Universally administered address    ETHERNET: Source address : 00D0062C24A0    ETHERNET: .......0 = No routing information present    ETHERNET: ......0. = Universally administered address    ETHERNET: Frame Length : 126 (0x007E)    ETHERNET: Ethernet Type : 0x0800 (IP:  DOD Internet Protocol)    ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070)IP: ID = 0xFF7E; Proto = TCP; Len: 112    IP: Version = 4 (0x4)    IP: Header Length = 20 (0x14)    IP: Precedence = Routine    IP: Type of Service = Normal Service    IP: Total Length = 112 (0x70)    IP: Identification = 65406 (0xFF7E)    IP: Flags Summary = 2 (0x2)        IP: .......0 = Last fragment in datagram        IP: ......1. = Cannot fragment datagram    IP: Fragment Offset = 0 (0x0) bytes    IP: Time to Live = 125 (0x7D)    IP: Protocol = TCP - Transmission Control    IP: Checksum = 0xB33E    IP: Source Address = 10.57.133.198    IP: Destination Address = 10.57.138.145    IP: Data: Number of data bytes remaining = 92 (0x005C)TCP: .AP..., len:   72, seq:1447167973-1447168045, ack:  48848871, win:17520, src: 1636  dst:   80     TCP: Source Port = 0x0664    TCP: Destination Port = Hypertext Transfer Protocol    TCP: Sequence Number = 1447167973 (0x564207E5)    TCP: Acknowledgement Number = 48848871 (0x2E95FE7)    TCP: Data Offset = 20 (0x14)    TCP: Reserved = 0 (0x0000)    TCP: Flags = 0x18 : .AP...        TCP: ..0..... = No urgent data        TCP: ...1.... = Acknowledgement field significant        TCP: ....1... = Push function        TCP: .....0.. = No Reset        TCP: ......0. = No Synchronize        TCP: .......0 = No Fin    TCP: Window = 17520 (0x4470)    TCP: Checksum = 0x7BCA    TCP: Urgent Pointer = 0 (0x0)    TCP: Data: Number of data bytes remaining = 72 (0x0048)HTTP: GET Request (from client using port 1636)    HTTP: Request Method = GET    HTTP: Uniform Resource Identifier = /scripts/root.exe?/c+dir    HTTP: Protocol Version = HTTP/1.0    HTTP: Host = www    HTTP: Undocumented Header = Connection: close        HTTP: Undocumented Header Fieldname = Connection        HTTP: Undocumented Header Value = close				
netmon bloodhound bh
Properties

Article ID: 317605 - Last Review: 10/24/2013 09:45:33 - Revision: 3.2

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • kbnosurvey kbarchive kbenv kbhowto kbnetwork KB317605
Feedback