NIMDA WORM VIRUS INFORMATION
W32.Nimda.A@mm
is a mass-mailing worm that utilizes multiple methods
to spread itself. The name of the virus came from
the reversed spelling of "admin". The worm
sends itself out by email, searches for open network
shares, attempts to copy itself to unpatched or already
vulnerable Microsoft IIS web servers, and is a virus
infecting both local files and files on remote network
shares.
The
worm uses the Unicode Web Traversal exploit. A patch
for computers running Windows NT 4.0 Service Packs
5 and 6a or Windows 2000 Gold or Service Pack 1 and
information regarding this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When
the worm arrives by email, the worm uses a MIME exploit
allowing the virus to be executed just by reading
or previewing the file. Information and a patch for
this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
If
you visit a compromised Web server, you will be prompted
to download an .eml (Outlook Express) email file,
which contains the worm as an attachment. You can
disable "File Download" in your Internet
Explorer internet security zones to prevent this compromise.
Also,
the worm will create open network shares on the infected
computer, allowing access to the system. During this
process the worm creates the guest account with Administrator
privileges.
NOTE:
Microsoft has released a cumulative roll up for IIS
4.0 on NT 4.0 SP5 and later as well as all security
patches released to date for IIS 5.0. This can be
found at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
