White Papers

W32/Nimda-D (Sophos)

• Tags:
• file,
• outlook,
• asp,
• addresses

Overview Date: 29 October 2001
Updated: 31 October 2001

Name: W32/Nimda-D

Type: W32 executable file virus

W32/Nimda-D is a variant of W32/Nimda-A. The virus spreads via email, network shares and websites.

The W32/Nimda-D virus can infect users of the Windows 95/98/Me operating systems as well as Windows NT and 2000.

Affected emails have an attached file called SAMPLE.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.

The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares.

The virus alters the System.ini file to include the line
shell=explorer.exe load.exe -dontrunold
so that it executes on Windows startup.

The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from several vulnerabilities, including the Unicode Directory Traversal vulnerability.

The virus scans for vulnerable IIS HTTP servers by generating random IP addresses and sending malformed HTTP GET requests. When a vulnerable machine is found, the virus copies itself into file HTTPODBC.DLL and runs.

On some affected machines, the virus also copies itself into the Windows directory with the filename CSRSS.EXE.

The virus attempts to alter the contents of pages on such servers, hunting for files with the filenames:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp

If it finds one of the above

• 
• Did you find this white paper useful? 1 out of 1 users found this white paper useful

• Subscribe to the IT White Papers Newsletter
• White Paper RSS