And also

[ Follow Ups ] [ Post Followup ] [ CPU-Central Message Board ] [ Home ]

Subject: And also
Name: LED
Date: 9/18/2001 3:09:22 PM (GMT-7)
IP Address: 63.71.127.157
In Reply to: Read me.exe ... posted by MS
Message:

W32/Nimda-A
Aliases
W32.Nimda.A@mm, Code Rainbow, Minda, Nimbda

Type
W32 executable file virus

Detection
A virus identity file (IDE) which provides protection is available now from the Latest virus identities section, and will be incorporated into the November 2001 (3.51) release of Sophos Anti-Virus.
Sophos has received many reports of this virus from the wild.

Please note: The IDE has been updated on 18 September at 19:45 BST to improve detection of this virus.


Description
W32/Nimda-A is a Windows 32 virus which spreads via email, network shares and websites.

Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.

The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares.

The virus alters the System.ini file to include the line

shell=explorer.exe load.exe -dontrunold
so that it executes on Windows startup.

The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from the Unicode Directory Traversal vulnerability. It attempts to alter the contents of pages on such servers, hunting for the following filenames:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp
If it finds one of the above files on the web server the virus attempts to alter the contents of the file, adding a section of malicious Javascript code to the end of the file.

If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more.

The virus contains the following text: "Copyright 2001 R.P.China".

[ View FollowUps | Post Followup | Main ]


Follow Ups:



Maximum of 100 messages displayed.

Post a Followup

Name:
E-Mail:

Subject:

Comments:

Optional Link URL:
Link Title:
Optional Image URL:
Upload some images for this post

[ Follow Ups ] [ Post Followup ] [ CPU-Central Message Board ]