Information on the Nimda Virus

September 18, 2001

The w32.nimda.a virus spread rapidly around the world and was sighted at Virginia Tech. The code can infect all flavors of Windows including Windows 95, 98, ME, NT and 2000.

A new nimda variant has been slowly making it's rounds. It can be best identified by its 'sample.exe' attachment. More info is available at:

http://www.sarc.com/avcenter/venc/data/w32.nimda.e@mm.html

A new removal tool for the variant can be found here: http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.removal.tool.html.

Infection Methods

The virus propagates through several methods:

  • An e-mail message with an attachment named readme.exe. Previewing the message on unpatched machines can cause infection. Otherwise, clicking the attachment will infect the computer.
  • Http attacks from infected machines on the network trying to infect unpatched IIS servers. The security exploits are known and previously patched. Several of the vulnerabilities are fixed by this Microsoft patch:
  • http://microsoft.com/technet/security/bulletin/MS01-044.php External Link
  • Attempts to access Microsoft Windows shares on the network to dump the virus.
  • Infected web servers will prompt visitors to download and/or run wbk8A.tmp or readme.eml.

Symptoms and Effects

The code can infect all flavors of Windows including Windows 95, 98, ME, NT and 2000. On all systems, W32nimda.a openly shares the hard drive of infected machines. It also attempts to mass mail itself. On Windows NT and Windows 2000 machines, a guest account with administrator privileges is created. The outbreak is causing server administrators to see multiple http probes against their systems. Internet traffic worldwide is significantly higher because of this outbreak.

Removal

W32nimda.a makes an infected computer vulnerable to third-party manipulation of code and/or installation of other malicious programs. Owners of infected computers should consider reformatting and reinstalling their systems since that is the only way to be 100% sure that all security holes have been closed.

The latest virus definitions from Symantec detect this code. For a more detailed description and removal instructions, see:

http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html External Link

A new removal tool for the variant can be found here: http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.removal.tool.html.