Symantec gives the following synopsis on what the virus does. There are
some more details on the site regarding detection and removal that I did not
copy over so I have provided the link at the beginning.
Peter Dahl.
http:[EMAIL PROTECTED]
W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to
spread itself. The worm sends itself out by email, searches for open network
shares, attempts to copy itself to unpatched or already vulnerable Microsoft
IIS web servers, and is a virus infecting both local files and files on
remote network shares.
The worm uses the Unicode Web Traversal exploit. A patch and information
regarding this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When the worm arrives by email, the worm uses a MIME exploit allowing the
virus to be executed just by reading or previewing the file. Information and
a patch for this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Users visiting compromised Web servers will be prompted to download an .eml
(Outlook Express) email file, which contains the worm as an attachment. This
.eml file also uses the aforementioned MIME exploit. Users can disable 'File
Download' in their internet security zones to prevent compromise.
Also, the worm will create open network shares on the infected computer,
allowing access to the system. During this process the worm creates the
guest account with Administrator privileges.
-----Original Message-----
From: Stephen J. Norton [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:28 PM
To: MS-Exchange Admin Issues
Subject: RE: New Virus Alert
If it's any consolation Lance, it's banging the hell out of me also. Seems
to replicate richad20.dll and *.eml files on servers. I'm talking hundreds
of thousands of the suckers. Worst is, CAI claims the virus pattern files I
updated this morning before the attack takes care of it! Another load of
horse manure form an already suspect company. If anyone knows exactly how
this works, and I mean exactly, I'd sure like to know. Even with all
workstations shut down, it still replicates itself on my PDC as fast as I
can delete the dll and eml files. On infected workstations, repairing the
sys.ini file and deleting load.exe from the \\windows\system directory does
not help. On reboot, the sys.ini is modified again and the load.exe is back
in place. Making the system.ini file read only seems to help. Good luck.
Oh yeah-tried calling Computer Associates tech support for two hours today.
Was kept in a holding pattern for 30 minutes and then disconnected. Nice
people.
-----Original Message-----
From: Lance -a-lot [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:07 PM
To: MS-Exchange Admin Issues
Subject: RE: New Virus Alert
Thanks. It's killing us. NAI seems to have numerous update, as well as, MS.
Some get fixed, some don't. Half the network is down due this bad boy. Be
careful with this one, especially software companies running IIS.
>From: "Zangara, Jim" [EMAIL PROTECTED]
>Reply-To: "MS-Exchange Admin Issues"
>[EMAIL PROTECTED]
>To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]
>Subject: RE: New Virus Alert
>Date: Tue, 18 Sep 2001 10:47:03 -0700
>
>W32/Nimda.A@mm - just came in from antigen.
>
>
>Virus Name:
>-------------------
>W32/Nimda.A@mm
>
>
>Alias:
>-------------------
>W32/Nimda-A
>W32/Nimda-mm
>
>
>
>E-mail Subject:
>-------------------
>None
>
>
>
>E-mail Body:
>-------------------
>None
>
>
>E-mail Attachments:
>-------------------
>README.EXE
>
>
>Description:
>-------------------
>This worm will enter a computer in one out of possibly two ways - it will
>either be received as an email with an attachment, and it seems that it
>will
>also attempt to break into machines running the web server software IIS
>(Internet Information Server), through a security hole known as a
>"directory
>traversal exploit".
>When the file is run, it will copy itself to the system directory as a
>hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI
>so
>that it is run from startup.
>
>
>At the Present time a Filter Rule for : Readme.exe (all types) will remove
>this from your email server
>
>We will be releasing AV Engine Updates when they are made available.
>
>Thank You,
>
>Sybari Software, Inc.
>
>
>Jim Zangara, MCSE+I
>Special Projects Engineer
>Premiere Radio Networks
>A Division of Clear Channel Communications
>15260 Ventura Blvd Suite 500
>Sherman Oaks, CA 91403
>Direct: (818) 461-8620
>mailto:[EMAIL PROTECTED]
>
>
>
>
>-----Original Message-----
>From: Lance -a-lot [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, September 18, 2001 9:51 AM
>To: MS-Exchange Admin Issues
>Subject: Re: New Virus Alert
>
>
>Do you know the name of the virus?
>
>
> >From: "Zangara, Jim" [EMAIL PROTECTED]
> >Reply-To: "MS-Exchange Admin Issues"
> >[EMAIL PROTECTED]
> >To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]
> >Subject: New Virus Alert
> >Date: Tue, 18 Sep 2001 09:32:37 -0700
> >
> >Hey folks we are getting nailed by this new virus - we had already
> >blocked the exe extension but there are two new extensions causing the
> >windows media player to start - and share your C drive and propagate
> >itself. We are now blocking the *.EML and *.NWS per Antigen.
> >
> >Just wanted to spread the word - not the virus :)
> >
> >Good luck.
> >
> >Jim Zangara, MCSE+I
> >Special Projects Engineer
> >Premiere Radio Networks
> >A Division of Clear Channel Communications
> >15260 Ventura Blvd Suite 500
> >Sherman Oaks, CA 91403
> >Direct: (818) 461-8620
> >mailto:[EMAIL PROTECTED]
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, September 18, 2001 9:21 AM
> >To: Zangara, Jim
> >Subject: Re: (ROB)RE: Antigen
> >
> >
> >
> >Jim,
> >
> >Here is a copy of what Sophios is saying in case you have not seen this
> >yet:
> >
> >Name: W32/Nimda-A
> >Type: W32 executable file virus
> >Date: 18 September 2001
> >
> >A virus identity file (IDE) which provides protection is available now
> >from our website and will be incorporated into the November 2001 (3.51)
> >release of Sophos Anti-Virus.
> >
> >Sophos has received many reports of this virus from the wild.
> >
> >Description:
> >
> >W32/Nimda-A is an email-aware virus that spreads using an attached
> >filename of README.EXE.
> >
> >Sophos researchers are continuing to examine the virus and will be
> >posting
> >a
> >more detailed description of the virus on the Sophos website once the
> >analysis is complete.
> >
> >
> >Use the file filter that I told you about earlier, README.EXE on all
> >file types.
> >
> >Robert McCarthy
> >Sybari Software, Inc.
> >E-mail: [EMAIL PROTECTED]
> >Phone: 631-630-8500 Option # 23
> >http://www.sybari.com
> >
> >Please respond to [EMAIL PROTECTED]
> >
> >
> >List Charter and FAQ at:
> >http://www.sunbelt-software.com/exchange_list_charter.htm
> >
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
>List Charter and FAQ at:
>http://www.sunbelt-software.com/exchange_list_charter.htm
>
>
>List Charter and FAQ at:
>http://www.sunbelt-software.com/exchange_list_charter.htm
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
