Win32:Nimda

is a very complex Internet virus. It arrives in the e-mail message as an attachment called README.EXE. Such message has empty body and empty or random subject. It uses the security hole of older MS-Outlook and Outlook Express clients: the attachment can be executed by viewing the mail in the preview panel. This virus is able to work under all Windows operating systems.

When executed, virus copies itself into the Windows system directory under the name LOAD.EXE,  RICHED20.DLL and sometimes MMC.EXE (it overwrites the original files if they exist) These files have system and hidden attributes set. It modifies the SYSTEM.INI file in order to activate itself on every startup:
[boot]
shell=explorer.exe load.exe -dontrunold

Other copies of the virus are stored in the temporary directory under the names MEP*.TMP.EXE and sometimes in the root directory of the local disks under the name ADMIN.DLL. The virus then searches for another victim email addresses. Besides standard ways (Outlook, Exchange) it searches the .HTM and .HTML files.

Virus is also able to spread over the shared disks on the local networks. It creates the .EML or .NWS files on any place he can get on the accessible machine. These files contain the MIME form of the virus ready to be opened by Outlook. It also searches for the HTML and ASP pages on the shared computer and if it finds some, it creates the README.EML file and adds a short Javascript code to the end of the Web pages which opens the README.EML file when viewed. Win32:Nimda is also able under certain circumstances to infect other files on the remote computer. It prepends itself before the original file. The virus also opens all local disks for sharing.

The virus scans the random IP addresses and checks the IIS web servers for the security hole known as Unicode vulnerability (which was also used by CodeBlue worm) and also for a backdoor opened by the Win32:CodeRed.C worm in attempting to spread further. Compromised servers are searched for HTML/ASP files and can thus display a webpage prompting a user to download an MS-Outlook EML file which contains the worm as an attachment. Virus is able to penetrate the firewalls via email and then to infect the complete intranets.

The virus also adds the user GUEST to the Administrators group, so this user has full control of the machine. It also sets the registry keys to hide file extensions.

Virus contains the following text:
Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China

All users running Microsoft Internet Explorer (ver 5.01 - 5.5 without SP2) should apply to install the Microsoft patch for the Incorrect MIME Header. All users running the IIS web server should also install Microsoft IIS cumulative patch dated 15th August, 2001.

Removal:

• correct the line in SYSTEM.INI file to shell=explorer.exe and reboot the computer
• delete all infected files (original files which have been overwritten should be restored from backup)
• delete all .EML files generated by the virus
• check all HTML/ASP files for the presence of Javascript part of the virus
• check if the GUEST account is in the ADMINITRATORS group; if yes, remove it from the group
• check the sharing of the local disks
• apply the MS patches mentioned above

Win32:Nimda-E is very similar to the original virus. The attachment is called SAMPLE.EXE, it saves itself on the disk under the name HTTPODBC.DLL and also as CSRSS.EXE instead of MMC.EXE in the system directory. This variant is also able to select random sender name, so the tracing of the source is a little bit more complicated.

Any avast! with VPS file dated on or after 18th September 2001 is able to detect this virus.