W32/Nimda-A

Category: Viruses and Spyware Protection available since:18 Sep 2001 00:00:00 (GMT)
Type: Win32 executable file virus Last Updated:02 Apr 2014 18:19:16 (GMT)
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed


W32/Nimda-A is a Windows 32 virus which spreads via email, network shares and websites.

The W32/Nimda-A virus can infect users of the Windows 95/98/Me operating systems as well as Windows NT and 2000.

Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.

The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares.

The virus alters the System.ini file to include the line

shell=explorer.exe load.exe -dontrunold

so that it executes on Windows startup.

The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from the Unicode Directory Traversal vulnerability. It attempts to alter the contents of pages on such servers, hunting for the following filenames:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp

If it finds one of the above files on the web server the virus attempts to alter the contents of the file, adding a section of malicious Javascript code to the end of the file.

If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more.

While spreading using shared network drives, the virus drops a number of randomly named files with the extension EML and NWS. The content of those files is identical to the content of readme.eml.

The virus contains the following text: "Copyright 2001 R.P.China".

Users with web servers compromised by Nimda are advised to replace all modified files, and to carry out a full security audit. One of the exploits by which Nimda attacks servers relies on holes left behind by a previous Troj/CodeRed-II attack - and Nimda itself tries to open additional security holes, such as giving administrative powers to the "guest" user, which is supposed to be a highly restricted account.

Microsoft has issued a security patch which reportedly secures IIS against the web server folder traversal vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.)

Microsoft has also issued a patch which secures against the incorrect MIME header vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.)

For more information on how to protect your systems against Nimda please follow this link: http://www.microsoft.com/technet/security/topics/Nimda.asp.

Microsoft makes available patches to secure against vulnerabilities in its products at: http://www.microsoft.com/technet/security/current.aspx.

download Try Sophos products for free
Download now