NIMDA
WORM SPREADS RAPIDLY
Virus Name : W32.Nimda.A@mm
Alias : I-Worm.Nimda.A,
W32.Nimda.Worm, W32/Nimda-A, PE_Nimda.A
Virus type : Internet,
IIS, e-mail worm
Threat
level : Medium
Virus
details :
Nimda
is a mass mailing worm uses different techniques
to spread. It will infect network shares, local
PE files and already
vulnerable Microsoft IIS web servers. Because of
the IIS server infection it generates heavy
network traffic. Nimda also uses CodeRed dropped trojan to find the target
server.
The worm uses the Unicode
Web Traversal exploit to infect IIS servers. Web
Administrators are requested to install
this patch from the Microsoft link http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. The worm uses MIME
exploit to infect IE users. When the worm arrives
by email, this security hole allowing the virus
to be executed just by reading or previewing the
file. Windows 95/98/ME users are
requested to install the patch http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Nimda scans random IP
addresses to find the server to infect. When a
host is found to have one the worm instructs the
machine to download the worm code Admin.dll from
the host used for scanning.
The worm also drops
random files like readme.eml, desktop.eml,
sample.eml, readme.nws files in the shared
folders. It also modifies *.htm, *.html, *.asp
files and adds Java script to open the infected
EML files automatically. So whenever a user
visits the compromised server site, he will be
forced to download readme.eml. If the user
accidentally open the attachment, it will infect
the local machine.
It collects
e-mail addresses stored in *htm, *.html files to
distribute infected messages. It also spreads
using email addresses under MAPI messages of
Microsoft Outlook and Microsoft Outlook Express. The
attachment name will be "readme.exe"
and message body will be empty.
If the infected e-mail
attachment is executed, it copies itself to the
file load.exe in the windows folder. It
modifies SYSTEM.INI file by adding the following
string SHELL= explorer.exe load.exe
-dontrunold in the [BOOT] section. So
the worm will be started on next startup
automatically. It also modifies following
registry entries when infecting the machine.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden
In
case of Windows NT/2000 modifies the following
key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Share\Security
It replaces the original Riched20.DLL
file with worm copy. The worm gets executed
whenever Microsoft Word application is activated.
It should be replaced with fresh copy. In case of
NT/2000 systems, this worm creates a "Guest"
account with Admin rights. It should be fixed
after removing the worm.
How can I protect my
system?
Solo has incorporated W32.Nimda.A@mm in its signature file to
protect users from this worm attack. Solo
antivirus registered users are already protected
from this worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
How
to remove this worm?
If you are infected with W32.Nimda.A@mm worm, install the
security patch first. Then run Solo antivirus and
choose clean option to repair the worm infected
files. Solo
antivirus can detect and remove W32.Nimda.A@mm
safely. Use the following link to Download
30 day trial version of Solo antivirus
to
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
You can
purchase Solo antivirus using the link 
|
