Win32/Nimda.A is a combination of a worm and of a virus. It spreads by means of
email and by means of known vulnerabilities of Internet Information Server (IIS) and of Internet Explorer. Its spreading began very intensively on September 18th
2001 between 3 and 4 o’clock pm CET. The speed of the worm spreading was in the initial stage so high that it caused considerable overload and thus also
a slow-down of the Internet.
The worm actively searches for computers that have installed IIS with unfixed abovementioned vulnerabilities. Such scanning of IP addresses causes massive traffic on
the Internet. If the worm finds a server it tries to attack it. In case that the server was attacked by the worm Code Red 2 it tries to download the file containing Win32/Nimda.A by means of the two backdoors (root.exe and cmd.exe) that had been installed on he computer by Code Red 2. For its spreading it utilises also the errors MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability (description on www.securityfocus.com/bid/2708, patch on www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp ) and Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability (description on www.securityfocus.com/bid/1806, patch on www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp). The result of
an attack by the worm is the presence of the file admin.dll (that is the file containing the worm) on a server in the root directory of the disk. Moreover, visitors of sites on a server like that may be attacked by the worm upon viewing a page in their browser.
By this method of attacking the worm exploits the vulnerability existing in various versions of Internet Explorer. This error, Microsoft IE MIME Header Attachment Execution Vulnerability, enables execution of a program on the target computer at displaying a
webpage. Exactly by this means, i.e. by means of the file readme.eml, the infection by the worm Win32/Nimda.A takes place. A description of the vulnerability can be found on www.securityfocus.com/bid/2524,
the patch is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp.
After the worm makes its way to the target computer and is run on it, a copy of the worm is created in the temporary directory and in some cases the file mcc.exe is replaced.
The worm will attack files listed in the keys of the system registry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths – this key contains paths to important system files, and also in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders – this one contains paths to frequently used directories (e.g. Desktop, Documents or Templates). In the subdirectory SYSTEM of the directory where Windows
is installed it creates the file load.exe and at the same time adds a line with the text shell=explorer.exe load.exe - dontrunold into the file system.ini. Doing so it ensures that it will be activated repeatedly.
The worm also modifies found files with extensions HTM, HTML, ASP as well as files with names containing words INDEX, MAIN, DEFAULT and README; it adds to them a code which opens the file with the virus when these files are displayed in the browser. The worm infects executable files on shared disks on the local network. It will not attack the file winzip32.exe.
The worm spreads by means of the email. It gets email addresses from html documents (extensions HTM and HTML) saved on the disk and from the email messages. The worm sends its copies by itself. The address of the current user of the infected computer is not the address of the message sender. The message with the worm has a random name and in the attachment there is the file readme.exe.
PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.
DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE
