W32/Nimda-D

Category: Viruses and Spyware Protection available since:29 Oct 2001 00:00:00 (GMT)
Type: Win32 executable file virus Last Updated:21 Feb 2014 11:41:25 (GMT)
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Nimda-D is a variant of W32/Nimda-A. The virus spreads via email, network shares and websites.

The W32/Nimda-D virus can infect users of the Windows 95/98/Me operating systems as well as Windows NT and 2000.

Affected emails have an attached file called SAMPLE.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.

The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares.

The virus alters the System.ini file to include the line

shell=explorer.exe load.exe -dontrunold

so that it executes on Windows startup.

The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from several vulnerabilities, including the Unicode Directory Traversal vulnerability.

The virus scans for vulnerable IIS HTTP servers by generating random IP addresses and sending malformed HTTP GET requests. When a vulnerable machine is found, the virus copies itself into file HTTPODBC.DLL and runs.

On some affected machines, the virus also copies itself into the Windows directory with the filename CSRSS.EXE.

The virus attempts to alter the contents of pages on such servers, hunting for files with the filenames:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp

If it finds one of the above files on the web server, the virus attempts to alter the contents of the file, adding a section of malicious JavaScript code to the end of the file.

If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more.

While spreading using shared network drives, the virus drops a number of randomly named files with the extension EML and NWS. The content of those files is identical to the content of readme.eml.

The virus body contains the text "Concept Virus (CV) V.6 Copyright(C) 2001, (This's CV No Nimda.)".

Sophos recommends that users add the extensions .EML and .NWS to the executables list of Sophos Anti-Virus in order to detect infections in files with those extensions.

Users with web servers compromised by Nimda are advised to replace all modified files, and to carry out a full security audit. One of the exploits by which Nimda attacks servers relies on holes left behind by a previous Troj/CodeRed-II attack - and Nimda itself tries to open additional security holes, such as giving administrative powers to the "guest" user, which is supposed to be a highly restricted account.

Microsoft has issued a security patch which reportedly secures IIS against the web server folder traversal vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.

Microsoft has also issued a patch which secures against the incorrect MIME header vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.)

For more information on how to protect your systems against Nimda please read http://www.microsoft.com/technet/security/current.aspx..

Microsoft makes available patches to secure against vulnerabilities in its products at http://www.microsoft.com/technet/security/current.aspx..

download Try Sophos products for free
Download now