VARIANT SPREADS RAPIDLY
Virus Name : W32.Nimda.E@mm
Alias : I-Worm.Nimda.E,
W32.Nimda.Worm, W32/Nimda-E, PE_Nimda.E
Virus type : Internet,
IIS, e-mail worm
level : Medium
a modified variant of Nimda worm
and uses differnet techniques to spread. It will
infect network shares, local PE files and already vulnerable
Microsoft IIS web servers. Because of the IIS
server infection it generates heavy network
traffic. Nimda also uses CodeRed dropped trojan to find the target
The worm uses the Unicode
Web Traversal exploit to infect IIS servers. Web
Administrators are requested to install
this patch from the Microsoft link http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. The worm uses MIME
exploit to infect IE users. When the worm arrives
by email, this security hole allowing the virus
to be executed just by reading or previewing the
file. Windows 95/98/ME users are
requested to install the patch http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Nimda scans random IP
addresses to find the server to infect. When a
host is found to have one the worm instructs the
machine to download the worm code HTTPODBC.DLL
from the host used for scanning.
The worm also drops
random files like readme.eml, desktop.eml,
sample.eml, readme.nws files in the shared
folders. It also modifies *.htm, *.html, *.asp
files and adds Java script to open the infected
EML files automatically. So whenever a user
visits the compromised server site, he will be
forced to download readme.eml. If the user
accidentally open the attachment, it will infect
the local machine.
e-mail addresses stored in *htm, *.html files to
distribute infected messages. It also spreads
using email addresses under MAPI messages of
Microsoft Outlook and Microsoft Outlook Express. The
attachment name will be "sample.exe"
and message body will be empty.
If the infected e-mail
attachment is executed, it copies itself to the
file load.exe in the windows folder. It
modifies SYSTEM.INI file by adding the following
string SHELL= explorer.exe load.exe
-dontrunold in the [BOOT] section. So
the worm will be started on next startup
automatically. It also modifies following
registry entries when infecting the machine.
case of Windows NT/2000 modifies the following
affected machines, the virus also copies itself
into the Windows directory with the filename
worm gets executed whenever Microsoft Word
application is activated. It should be replaced
with fresh copy. In case of NT/2000 systems, this
worm creates a "Guest"
account with Admin rights. It should be fixed
after removing the worm.
How can I protect my
Solo has incorporated W32.Nimda.E@mm in its signature file to
protect users from this worm attack. Solo
antivirus registered users are already protected
from this worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
to remove this worm?
If you are infected with W32.Nimda.E@mm worm, install the
security patch first. Then run Solo antivirus and
choose clean option to repair the worm infected
antivirus can detect and remove W32.Nimda.E@mm
safely. Use the following link to Download
30 day trial version of Solo antivirus
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
purchase Solo antivirus using the link