|
 |
||||||||
 | |||||||||
W32/Nimda@MM
W32/Nimda@MM is a HIGH RISK virus that can infect all unprotected home users and business users of Win9x/NT/2000/ME. W32/Nimda@MM spreads via email, via shared drivers, folders or files, and via infected HTM/L (Web) pages. In addition, it will look for IIS servers to infect via the Microsoft Web Folder Transversal vulnerability vulnerability (also used by W32/CodeBlue).
It is possible to activate the virus by viewing an infected email message within the Microsoft Outlook preview pane.
The email attachment varies and may use the icon for an Internet Explorer HTML document.
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable. It may also take up a large amount of space on your hard drive.
It will attempt to spread itself as follows:
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
- The email messages created by the worm contain an attachment that can be executed even if the user does not open it and without the user's knowledge.
- It infects HTML documents. When the infected documents are accessed (locally or remotely), the machine viewing the page is infected.
- When the virus finds an open share, it copies itself to each folder on the drive in .EML format. This can include the START UP folder.
- The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability.
- It tries to use the backdoor created by W32/CodeRed.c to infect.
- It adds worm code to .EXE files.
- Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents.
Detection and Removal
--- How can I detect and remove this Virus? ---
In order to successfully detect and remove this virus, infected systems must:
- Apply the patches below
- Close any network shares prior to cleaning
- Exit any running applications
- Stop a running IIS server
- Scan and clean each drive
- Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.
All machines on the network must have virus protection that will detect and clean this virus in order to prevent infection via open shares.
All home users and administrators running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who haven't already done so, should also install this Microsoft patch (August 15, 2001 Cumulative Patch for IIS)
McAfee.com VirusScan and Clinic users, click here to update ActiveShield.
Retail McAfee VirusScan users, click here to get the latest DAT file to detect and clean this virus.
Scan Your System for Infected Files
- 1. McAfee.com VirusScan Online and Clinic users, click here to perform a Scan.
As always, AVERT recommends that users configure VirusScan to scan all files. If this is not an option in your environment, the default extension list should be used.- 2. If W32/Nimda@MM is found, use the delete option to remove it.
Detection and removal is in the 4162 DAT files. This includes detection and removal for infected .ASP, .DLL, .EML, .EXE, .HTM, .HTML, and .NWS files (with ALL files being scanned).
To remove any network shares or guest accounts created by the virus, please use the AVERT NimdaScan (current version 1.0f) program located on the AVERT Tools Page.
Home Users: