http://vil.nai.com/vil/content/v_99209.htm
Heb je de patch van Microsoft al geinstalleerd ? Lees onderstaande maar weer ff door, de oplossing althans, er wordt een patch in vernoemd die je moet installeren.
Virus Name Risk Assessment
W32/Nimda.gen@MM Corporate User : Medium
Home User : Medium
Virus Information
Discovery Date: 09/18/2001
Origin: Unknown
Length: 57344
Type: Virus
SubType: Internet Worm
Minimum DAT:
Release Date: 4159
09/18/2001
Minimum Engine: 4.1.60
Description Added: 09/18/2001
Description Modified: 05/02/2003 12:15 PM
🇵🇹
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics
--- Update November 09, 2001 ---
A new variant was recently discovered (some call it Nimda.G) which functions the same as the .D and .E variant. The 4163-4169 DATs detect this as a variant of W32/Nimda@MM.
--- Update October 29, 2001 ---
A new variant was discovered today (some call it Nimda.D while others refer to it as Nimda.E) which functions much the same as the original version. The 4162 DATs (or greater) detect this variant as W32/Nimda.a@MM.
--- Update October 26, 2001 ---
The risk assessment was lowed to Medium due to a reduction in prevalence.
--- Update October 12, 2001 ---
A new variant was discovered today which functions much the same as the original version. Detection is included in the current DAT release. This variant is considered to be a LOW risk.
--- Update October 5, 2001 ---
A new variant was discovered today which functions much the same as the original version. However this variant is packed with a PE packer and the filenames README.EXE and README.EML are replaced with PUTA!!.SCR and PUTA!!.EML respectively. Detection for this new variant is included the 4165 DAT release. This variant is considered to be a LOW risk.
This threat can infect all unprotected users of Win9x/NT/2000/ME.
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.
All users running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who have not already done so, should also install this patch (August 15, 2001 Cumulative Patch for IIS)
This worm virus infects using several methods including: mass-mailing, network share propagation, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft incorrect MIME Header vulnerability. It also attempts to create network shares, and utilize the backdoor created by the W32/CodeRed.c worm
The email subject line varies, message body is blank, and attachment name varies (most often README.EXE) and may use the icon for an Internet Explorer HTML document.
The most significant methods of propagation are as follows:
The email messages created by the worm specify a content-type of audio/x-wav and contain an executable attachment type. Thus when a message is accessed, the attachment can be executed without the user's knowledge. Simply viewing the page in Microsoft Outlook or Microsoft Outlook Express using the preview pane can infect you. Other mail clients can still receive these email messages, but double-clicking the attachment would be required to execute the virus.
When infecting, it appends .ASP, .HTM, and .HTML documents, and files named INDEX, MAIN, and DEFAULT, with javascript code which contains instructions to open a new browser window containing the infectious email message itself (taken from the dropped file README.EML). Thus when this infected web page is accessed (locally or remotely) the machine viewing the page is infected. In other words, simply visiting a web site that is compromised can infect your computer.
When infecting, it creates network shares for each local drive as %$ (where % = the drive letter that is being shared). On Win9x/ME system this is configured as a full share with no password. On WinNT/2K system the user GUEST is given permission to the share and added to the group ADMINISTRATORS as well as GUESTS. A reboot is required in order for these shares to get created. When the virus finds an open share, it copies itself to each folder on the drive in .EML format as described later on in this description. This can include the START UP folder.
The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability by sending a malformed GET request. This causes vulnerable machines to initiate a TFTP session to download ADMIN.DLL from the machine which sent the request. Once downloaded the remote system is instructed to execute the DLL which infects that machine. In the event that the TFTP session fails to connect, multiple files (TFTP*) are created in the WINDOWS TEMP directory. These files are simply copies of the worm. It also tries to use the backdoor created by W32/CodeRed.c to infect.
.EXE files are prepended with the worm code.
Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
It may copy itself to the WINDOWS SYSTEM directory as LOAD.EXE and create a SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
Additional information:
- A MIME encoded version of the worm is created in each folder on the system (often as README.EML or DESKTOP.EML, can also be .NWS files). This can create a lot of files and in some cases even fill up a hard disk.
- The WININIT.INI file may be used to delete specific worm files upon reboot:
NUL=C:\WINDOWS\TEMP\MEP52b0.TMP.exe
- Registry key values are created/changed to hide files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden
- A registry key branch is deleted to remove share security under WinNT/2K
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Shares\Security
- The worm saves a copy of itself to C:\, D
![:\](https://static.partyflock.nl/smiley/hmmzz_streep.png ":\")
, and E
as ADMIN.DLL
Note: a valid ADMIN.DLL does exist and is part of the Microsoft FrontPage Server Extentsions functionality
- Filenames for the worm include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL, MEP*.TMP.EXE
Note: applications which utilize the rich text format, such as Microsoft Word and Wordpad, call this RICHED20.DLL file. As such, the worm is executed when a dependant program is run. There is typically a valid RICHED20.DLL file in the WINDOWS SYSTEM directory, but this is overwritten by the virus. Additionally, the virus may also save itself as RICHED20.DLL in directories which contain .DOC files when infecting via network shares. This will result in that infected .DLL being called when a machine accesses that .DOC file.
Note: MMC.EXE is the name for the Microsoft Management Console application. It has been reported that the worm can in fact overwrite this file.
The virus contains the string : Concept Virus
🇨🇻 V.5, Copyright (C) 2001 R.P.China
Top of Page
Symptoms
Presence of the files C:\ADMIN.DLL, D
ADMIN.DLL, and E
ADMIN.DLL
Presence of many .EML files with the same name (typically README.EML or DESKTOP.EML)
Surprisingly open network shares
Top of Page
Method Of Infection
This threat exploits various Microsoft vulnerabilities. It is contractible via web browsing, reading an email message, or simply running the IIS web server.
W32/Nimda@MM has been reported to sleep for 10 days between calling its mass-mailing routine.
Top of Page
Removal Instructions
Removing this threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.
Infected systems must:
apply the patches below
close any network shares prior to cleaning
exit any running applications
Stop a running IIS server
Scan and clean each drive
Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.
Failure to take these actions may result in reinfection.
Applying patches
All users running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who haven't already done so, should also install this Microsoft patch (August 15, 2001 Cumulative Patch for IIS)
Scanning/Removal
In cases where users with VirusScan and Netshield 4.5, or 4.51 have altered the "default extension list/program files extension list" the following package is required to scan files with extensions greater than 3 characters, and is required for complete detection of this threat where the extension list has been customized.
EXTFIX1.EXE patch . Please review the README.TXT file first.
As always, AVERT recommends that users configure VirusScan to scan all files. If this is not an option in your environment, the default extension list ("Program files" or "Default files") should be used.
Additionally Win9x users should remove the text: load.exe -dontrunold from the SYSTEM.INI file.
Stand Alone Removal Tool
Please note Virusscan and Netshield products will detect and remove the virus and the associated files the virus affects. It will NOT remove the network shares or the guest account created by W32/Nimda@MM.
Users that would like to have these changes removed automatically can use the AVERT NimdaScan (current version 2.0) program located on the AVERT Tools Page. Please follow the instructions in the README.TXT when using the program.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Res
Top of Page
Variants
Name Type Sub Type Differences
W32/Nimda.b@MM Virus Internet Worm This variant is packed with a PE packer and the filenames README.EXE and README.EML are replaced with PUTA!!.SCR and PUTA!!.EML respectively.
W32/Nimda.d@MM Virus Internet Worm This variant uses different filenames.
README.EXE is now SAMPLE.EXE
MMC.EXE is now CSRSS.EXE
ADMIN.DLL is now HTTPODBC.DLL
W32/Nimda.e@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.
W32/Nimda.f@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.
W32/Nimda.g@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.
Top of Page
Aliases
Name
I-Worm.Nimda (AVP)
I-Worm.Nimda.E (AVP)
Nimda (F-Secure)
Nimda.c (F-Secure)
Nimda.d (F-Secure)
Nimda.e (F-Secure)
W32.Nimda.A@mm (NAV)
W32.Nimda.C@mm (NAV)
W32.Nimda.D@mm (NAV)
W32.Nimda.E@mm (NAV)
W32/Minda@MM
W32/Nimda-C (Sophos)
W32/Nimda.a@MM
W32/Nimda.eml
W32/Nimda.htm
W32/Nimda@MM
Win32.Nimda.A@mm (AVX)
Win32.Nimda.E
🇨🇦 
Er stonden opeens in elke map open envelopjes 
