Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


NIMDA WORM SPREADS RAPIDLY

Virus Name  : W32.Nimda.A@mm

Alias             : I-Worm.Nimda.A, W32.Nimda.Worm, W32/Nimda-A, PE_Nimda.A

Virus type    : Internet, IIS, e-mail worm

Threat level : Medium

Virus details :

                     Nimda is a mass mailing worm uses different techniques to spread. It will infect network shares, local PE files and already vulnerable Microsoft IIS web servers. Because of the IIS server infection it generates heavy network traffic. Nimda also uses CodeRed dropped trojan to find the target server.

                     The worm uses the Unicode Web Traversal exploit to infect IIS servers. Web Administrators are requested to install this patch from the Microsoft link http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. The worm uses MIME exploit to infect IE users. When the worm arrives by email, this security hole allowing the virus to be executed just by reading or previewing the file. Windows 95/98/ME users are requested to install the patch http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

                     Nimda scans random IP addresses to find the server to infect. When a host is found to have one the worm instructs the machine to download the worm code Admin.dll from the host used for scanning.

                     The worm also drops random files like readme.eml, desktop.eml, sample.eml, readme.nws files in the shared folders. It also modifies *.htm, *.html, *.asp files and adds Java script to open the infected EML files automatically. So whenever a user visits the compromised server site, he will be forced to download readme.eml. If the user accidentally open the attachment, it will infect the local machine.

                     It collects e-mail addresses stored in *htm, *.html files to distribute infected messages. It also spreads using email addresses under MAPI messages of Microsoft Outlook and Microsoft Outlook Express. The attachment name will be "readme.exe" and message body will be empty.

                     If the infected e-mail attachment is executed, it copies itself to the file load.exe in the windows folder. It modifies SYSTEM.INI file by adding the following string SHELL= explorer.exe load.exe -dontrunold in the [BOOT] section. So the worm will be started on next startup automatically. It also modifies following registry entries when infecting the machine.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden

In case of Windows NT/2000 modifies the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Share\Security

                     It replaces the original Riched20.DLL file with worm copy. The worm gets executed whenever Microsoft Word application is activated. It should be replaced with fresh copy. In case of NT/2000 systems, this worm creates a "Guest" account with Admin rights. It should be fixed after removing the worm.

How can I protect my system?

                   Solo has incorporated W32.Nimda.A@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are infected with W32.Nimda.A@mm worm, install the security patch first. Then run Solo antivirus and choose clean option to repair the worm infected files. Solo antivirus can detect and remove W32.Nimda.A@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link