Note: To protect the privacy of our members, e-mail addresses have been removed from the archived messages. As a result, some links may be broken.

Find Lesson Plans on! GettyGames

New virus alert


From: Maggie White (mwhiteaz_at_TeacherArtExchange)
Date: Tue Sep 18 2001 - 17:27:25 PDT

Hi, all,

The following came via a reputable online newsletter I subscribe to. As
usual, don't open attachments from anyone, but beware of the warning
about possible infected Web sites.


This is a free service of - We share
your PAIN!

If you find this information helpful, pass it on to others...

If you would like to be added or removed from this list, go to:

                                Discovered on: September 18, 2001

           According to SARC, the W32.Nimda.A@mm is a new mass-mailing
worm that utilizes
           multiple methods to spread itself. The worm sends itself out
by email, searches for open
           network shares, and attempts to copy itself to un-patched
Microsoft IIS web servers.
           The worm does this using the Unicode Web Traversal exploit.
A patch and information
           regarding this exploit can be found at:
           Microsoft has also released a tool to assist in patching
systems at:

           Users visiting compromised Web servers will be prompted to
download a "readme.exe" file,
                        which contains the worm as an attachment. (See

           If sent via e-mail, the attachment name varies and may use
the icon for an Internet
           Explorer HTML document. The email messages created by the
worm specify a
           content-type of audio/x-wav with an executable attachment
type. Thus when a
           message is accessed, the attachment can be executed without
the user's knowledge.

           The worm will also create an open network share on the
infected computer, allowing
           access to the system via the Internet, which can thoroughly
compromise corporate

           Once infected, your system is used to seek out others to
infect over the web. As this
           creates a lot of port scanning, this can cause a network
traffic jam.

           It copies itself to the WINDOWS SYSTEM directory as LOAD.EXE
and creates a
           SYSTEM.INI entry to load itself at startup:
           Shell=explorer.exe load.exe -dontrunold

           McAfee Anti-virus has posted the following removal
instructions for their

           Removal Instructions:

           Detection and removal is in the 4159 DAT files posted today.
This includes detection
           and removal for infected .ASP, .DLL, .EML, .EXE, .HTM, .HTML,
and .NWS files (with ALL
           files being scanned).

           Note that when repairing infected .ASP, .HTM, and .HTML
files, they are properly
           truncated to remove the infectious javascript call. The
dropped copies of the worm
           are deleted.

           Additionally, customers may use this provided Extra Dats for
detection and removal.
           Extra.Dat (Ver 2)
           Nimda2.Exe (Ver 2)