Discovered on: September 18, 2001
According to SARC, the W32.Nimda.A@mm is a new mass-mailing
worm that utilizes
multiple methods to spread itself. The worm sends itself out
by email, searches for open
network shares, and attempts to copy itself to un-patched
Microsoft IIS web servers.
The worm does this using the Unicode Web Traversal exploit.
A patch and information
regarding this exploit can be found at:
Users visiting compromised Web servers will be prompted to
download a "readme.exe" file,
which contains the worm as an attachment. (See
If sent via e-mail, the attachment name varies and may use
the icon for an Internet
Explorer HTML document. The email messages created by the
worm specify a
content-type of audio/x-wav with an executable attachment
type. Thus when a
message is accessed, the attachment can be executed without
the user's knowledge.
The worm will also create an open network share on the
infected computer, allowing
access to the system via the Internet, which can thoroughly
Once infected, your system is used to seek out others to
infect over the web. As this
creates a lot of port scanning, this can cause a network
It copies itself to the WINDOWS SYSTEM directory as LOAD.EXE
and creates a
SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
McAfee Anti-virus has posted the following removal
instructions for their
customers. THIS WILL ONLY WORK IF YOU ARE RUNNING A CURRENT
THE MCAFEE ANTI-VIRUS PROGRAM!
Detection and removal is in the 4159 DAT files posted today.
This includes detection
and removal for infected .ASP, .DLL, .EML, .EXE, .HTM, .HTML,
and .NWS files (with ALL
files being scanned).
Note that when repairing infected .ASP, .HTM, and .HTML
files, they are properly
dropped copies of the worm
Additionally, customers may use this provided Extra Dats for
detection and removal.
Extra.Dat (Ver 2)
Nimda2.Exe (Ver 2)