Virus to look out for SEPTEMBER 18, 2001Description:
W32/Nimda-A is a Windows 32 virus which spreads via email, network shares and websites.
Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.
The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares.
The virus alters the System.ini file to include the line shell=explorer.exe load.exe -dontrunold so that it executes on Windows startup.
The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from the Unicode Directory Traversal vulnerability. It attempts to alter the contents of pages on such servers, hunting for the following filenames:
index.html, index.htm, index.asp
readme.html, readme.htm, readme.asp
main.html, main.htm, main.asp
default.html, default.htm, default.aspIf it finds one of the above files on the web server the virus attempts to alter the contents of the file, adding a section of malicious Javascript code to the end of the file.
If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more.
The virus contains the following text: "Copyright 2001 R.P.China".