Nimda
Also known as W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [CA]
Summary
W32.Nimda.A@mm is a mass-mailing worm that uses multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin."
Technical Details
This worm:
- Sends itself by email
- Searches for open network shares
- Attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers
- Is a virus infecting both local files and files on remote network shares.
The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1, as well as information regarding this exploit can be found at Microsoft's site.
When the worm arrives by email, it uses a MIME exploit allowing the threat to be executed by reading or previewing the file. Information and a patch for this exploit can be found at Microsoft's site.
If you visit a compromised Web server, you will be prompted to download a .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer Internet Security Zones to prevent this compromise.
Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process, the worm creates the guest account with Administrator privileges.
