Make your own free website on


Anthrax on the Internet
Home | His Name Isn't Victor Goetz | Luigi Warren | AnthraxInvestigation.Com | VECTOR | Anthrax on the Internet | The "Bigot" Franz | Bizarre, disjointed and juvenile | ANTRAX005 | ANTHRAX ATTACKS | ANTHRAX MISSING | CAMELLIER


The anthrax mailings and the Nimda worm
were released on exactly the same two dates.

The Nimda Worm

Nimda combined many malicious code techniques into a devastating punch that infected 2.2 million systems in its first 24 hours in the wild.

Nimda, which is Admin spelled backwards, used four means of spreading propagation vectors in industry-speak):
Scanning Nimda-infected systems scan a network looking for unpatched Microsoft Internet Information Server (IIS) systems. Nimda then uses a specific exploit, called Unicode Web Traversal exploit, to gain control of the target server.

Email Nimda gathers email addresses from the mailboxes of any MAPI-based email system. Nimda then formats messages to these addresses using both the To: and the From: fields so the From: address will not be from the infected user.

The worm also has its own SMTP server to send out the emails, thus avoiding Exchange or Notes servers.

When Nimda arrives in an email, it uses a MIME exploit that allows it to execute just by reading the infected message or opening the message in a preview pane.

Browsing Visitors to a Nimda-infected Web server are asked to download an Outlook Express email file which contains the worm as a readme attachment. It then activates using the email technique described above.

Network Shares Nimda creates open network shares on the target system (desktop or server), allowing complete access to that system at a later date.

After the Infection

In the past, viruses existed mainly to propagate themselves, although some were specifically crafted to perform damage via the delivery of their payload to the infected system.

Hybrid threats are much more dangerous. In fact, so many servers and desktops were infected with Nimda that the email traffic and constant scanning for new targets created a mini-"denial of service condition for those networks.

Typical post-infection actions include: Increasing the remote access exposure of the infected machine;

Hiding evidence of infection and removing audit trails; Placing backdoors for future unauthorized access;

Rolling back existing security measures;

Or hiding the presence of malicious code by moving the illicit program into stealth or hibernation, mode until it is needed.

Other hybrid threat activities include clearing system logs of evidence of infection, changing file and registry settings, reformatting or altering drives, files and data, corrupting databases, denying access to critical system functions or applications, and enabling remote access and control of the infected host.

The hybrid, as demonstrated by Code Red, Nimda, BadTrans, and others, is a malicious program composed of a combination of formerly stand alone information security threats.

Viruses, worms, trojans and hacker techniques have been merged into automated, multi-headed attack tools that rapidly propagate across the Internet to cause huge amounts of economic damage.

For example, Nimda infected over 2.2 million PCs and servers in 24 hours after its release to the wild in September 2001 (Computer Economics), incurring over $530M in damages via downtime and cleanup. Code Red clocked in at an even more staggering figure an estimated $2.6 billion of damage.


In September 2001, Nimda raised new alarms by using five different ways to spread to 450,000 hosts within the first 12 hours.

Nimda seemed to signal a new level of worm sophistication.

It found e-mail addresses from the computer Web cache and default
Messaging Application Programming Interface (MAPI) mailbox.

Itsent itself by e-mail with random subjects and an attachment named
readme.exe. If the target system supported the automatic execution
of embedded MIME types, the attached worm would be automatically
executed and infect the target.

It infected Microsoft IIS Web servers, selected at random, through a
buffer overflow attack called a unicode Web traversal exploit.
It copied itself across open network shares. On an infected server, the
worm wrote Multipurpose Internet Mail Extensions (MIME)-encoded
copies of itself to every directory, including network shares.

It added JavaScript to Web pages to infect any Web browsers going
to that Website.

It looked for backdoors left by previous Code Red II and Sadmind worms.


"The anthrax mailings and the Nimda worm were released on exactly the same two dates.

Moreover, they were distributed via essentially the same method, and they shared a common apparent purpose.....
Released on the Same Dates

The anthrax-laden letters were postmarked on Sept. 18 and Oct. 9, 2001.

These are precisely the same dates that the destructive Nimda worm and a new variant of this worm called Nimda.B were released on the Internet.

Sept. 18 was the date that the Nimda worm was released on the Internet, and Oct. 9 was the date that the Nimda.B variant was released.

Same Method
Both involve mailing (either by the Postal Service or by e-mail) a destructive payload to unsuspecting individuals. Although the two attacks (anthrax and Nimda) appear at first glance to be very different from one another, a similar mind-set seems to underlie both."


"To: Khan Noonian Singh; genefromjersey; John Faust; Battle Axe; Allan; Shermy; TrebleRebel
So what observations have *you* noticed that you have not posted or that may not be known widely?
Here's something I noticed.

Khan, in a posting of yours in July, 2004, you made the claim that there was an "ineffective anthrax attack at end of February of 2003." You then elaborated, as follows:

"Has been dubbed weaponised or semiweaponised.
Was thought to have encompassed both a letter campaign with threatening messages and an outdoor delivery trial.
Best estimate of date is 24 Feb 2003." [Boldface added.]
Links: and
What I noticed was that the same date (Feb. 24, 2003) had occurred in an earlier FR discussion about the possible connection between the anthrax mailings and Internet worms/viruses. [I have placed all the instances of the date Feb. 24, 2003, in this posting in boldface, to make it easy to spot them.]

Before proceeding, a bit on the Nimda worm: It is known that the destructive Nimda worm was released on Sept. 18, 2001, exactly one week after the 9/11 attack (one week to the minute, as closely as one can tell). The destructiveness of this worm on the heels of 9/11 was sufficient that John Ashcroft made a televised statement on Sept. 18 that the worm was not known to be terrorist-related. Something no one knew on that date was that Sept. 18, 2001, was also the postmark date of the anthrax mailings to NBC News and the NY Post. In addition, a variant called Nimda.B was released some time between Oct. 5 and 9, 2001, matching the mailing date of the second set of anthrax letters. (Neither Nimda.B nor the second set of anthrax letters can be dated precisely.) This was observed in early November, 2001, but to this date it is not known whether Nimda and the anthrax mailings were really connected or whether it was a coincidence. (It's perhaps worthy of comment that both the Nimda and anthrax attacks involved putting a destructive payload in mail, whether e-mail or postal mail.)

Fast-forward two years, to late Dec., 2003. Frequent FR reincarnatee Van der Waals, who had expressed interest in the Nimda theory, noted that the Swen computer worm had been released on Sept. 18, 2003, and that a variant of Swen had been released on Oct. 9, 2003. These are the anniversaries of the two known anthrax mailings. The HTML used by the worm makes use of the code word "bacillus". Here's the link to this posting of Van der Waals:

I replied to Van der Waals, in Here's part of what I wrote at the time (Dec. 20, 2003):

... note that the worm called Swen is apparently the latest incarnation of the earlier Gibe worm, so 9/18/2003 and 10/9/2003 are just the latest two dates in a longer series of release dates.
So, here are three possibilities regarding Swen:

Possibility 1. The dates are just a coincidence. If you look, you can find many things that happened on Sept. 18, and some that happened on both Sept. 18 and Oct. 9 in some year.
Possibility 2. Someone who had nothing to do with the anthrax mailings intentionally picked the anniversary dates, just because he thought it would be a cool thing to do.
Possibility 3. Someone who had something to do with the anthrax mailings picked those dates on purpose. But why would he do that? Two possible reasons:
Possibility 3(a). Disinformation. This presupposes that the Nimda theory is false; the purpose of Swen would then be to divert resources into investigation of a (false) Nimda connection to the anthrax mailings.
Possibility 3(b). To draw attention to the earlier release dates of Gibe/Swen:

Mar. 4, 2002
Feb. 24, 2003
(There were also minor follow-up variants released on Mar. 16, 2003, and Mar. 24, 2003.)
Why draw attention to these earlier dates? I don't know, but that attention to the earlier Gibe-worm release dates is a predictable consequence of the later Swen releases on the anthrax anniversary dates. In this theory 3(b), it's as if someone is saying: "Look at the release dates!"
My guess is that it's just a coincidence - Possibility 1.
As you can see, the Feb. 24, 2003, release date of Gibe coincides with Khan Noonian Singh's purported "ineffective anthrax attack." Possibility 3(b) specifically pointed out the date Feb. 24, 2003, as a date of interest.

44 posted on 11/26/2004 12:18:00 AM PST by Mitchell"


Full name:
Email address:

(C) 2004 2005 All Things Anthrax

FAIR USE NOTICE: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of criminal justice, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.