Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
W32/Nimda.A@mm, W32/Nimda@mm, I-Worm.Nimda, Readme, Readme.exe
Sent by email, Backdoor component.
The worm serches all '.htm' and '.html' files in existing Internet directory for email addresses. It scans the user's Inbox and collects senders' addresses. After finishing the address list, it uses its own SMTP engine to send the infected messages.
The worm uses the backdoor component for IIS server. It uses random IP addresses for these backdoors. When a host computer is found, the worm instructs it to download the worm code (Admin.dll) from the computer used for scanning. Then the worm is activated on that system and infects it.
W32/Nimda.eml is the first worm that can modify existing websites and uses them to download infected files. So, it is the first worm using normal end-user computers, for testing weak websites. This technique allows Nimda to access Intranet websites under firewall. The life cycle can be described in four parts:
1. Infecting files. 2. Mass mailer. 3. Web worm. 4. LAN spreading.
1. Infecting Files
W32/Nimda.eml detects EXE files on local computers and infects them, using their content as resource. These files spread the infection over program exchange (ex: Games).
2. Mass Mailer
W32/Nimda.eml detects email addresses over MAPI of the email Client and searches for local HTML files on existing addresses. Then, it sends an email to every address.
3. Web Worm
W32/Nimda.eml begins to search the Internet and to reach www.servers. When it finds a web server, the worm tries to infect it, using some known security holes. If this succeeds, the worm modifies arbitrary websites, thus automatically infecting the web surfer.
4. LAN Spreading
The worm searches for files that can be accessed on lokal networks either by file servers or by end-user computers. When a file is found, a hidden file named RICHED20.DLL is inserted in DOC or EML directory. The worm has a different behavior, when activated by files with different name and type.
Start on a Server:
If the worm file is named ADMIN.DLL, the worm creates a Mutex named 'fsdhqherwqi2001', copies itself as MMC.EXE in \Windows\ directory and starts this file using the command '-qusery9bnow'. Usually, the worm starts as ADMIN.DLL on the infected webserver. From this point the worm searches for files on accessible drives, including distant drives or networks, in order to infect them. The worm infects exe files (WINZIP32.EXE excluded) on these drives. The infection technique used is new. The worm places an infected file as resource in its body. When the infected file is opened, the worm downloads the original EXE file, launches it and, aftewards it tries to delete it. If this action is not immediately possible, the worm creates WININIT.INI file, which deletes the virus file when Windows is restarted.
The worm accesses:
There it reads subkeys and infects all files listed in those subkeys.
The worm does not infect WinZip32.exe.
It also accesses the user's personal folder:
and infects all files in that folder.
The worm also creates *.EML and *.NWS files in all directories it can reach. The hidden system file RICHED02.DLL is created in all directories, where DOC or EML files were found. The worm also tries to replace the original RICHED02.DLL file with its copy.
Start on a Workstation:
If the worm is activated by opening README.EXE, it copies itself under a random name ('MEP*.TMP') in the temporary directory and runs using '-dontrunold'.
First, the worm is loaded as DLL library, looks for a special resource and checks its size. If the resource is smaller than 100, the worm is not loaded. Else, the worm is loaded in a file. The resource size indicates when the worm is activated from an EXE infected file. Then the worm gets the actual time and generates a random number. After doing some calculations with this number, it checks the result. If the result is bigger than the worm's counter, the worm starts to search and deletes README*.EXE file in the existing directory. Then, the worm prepares its MIME encoded copy, placing in it a MIME multipartite from its body and attaches it. The file is saved with a random name in the existing directory. The worm then looks for the Explorer process, opens it and integrates its own process as part of the Explorer. The worm has access over API, uses a Mutex named 'fsdhqherwqi2001', starts Winsock services, gets information on the host computer and then stops for some time.
If the worm runs on NT system, it concentrates on using a smaller memory space and copies itself as LOAD:EXE in Windows system directory. Then it modifies the file SYSTEM.INI, with the following string:
explorer.exe load.exe -dontrunold
which activates the worm copy every time Windows starts.
The worm also copies itself as RICHED20.DLL in system directory, which is a hidden system file, just like LOAD.EXE.
Then the worm counts the shared network resources and starts searching for repeated files on other systems.
While doing this, the worm also looks for .DOC and .EML files and copies its double image named RICHED20.DLL (a hidden system file)in their directory.
While scanning computer's directories, the worm creates .EML and .NWS files, using the names of documents or websites found on the system. These .EML and .NWS files are multipartite worm components, containing a worm MIME encoding.
When scanning for the worm, .EML and .NWS files can be deleted.
The worm does not try to infect local or remote EXE files, when started from a Workstation.
The worm adapts to Windows Explorer settings:
[Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] and activates 'Hidden', 'ShowSuperHidden' 'HideFileExt' options.
The worm deletes the subkey: [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
Description inserted by Crony Walker on Tuesday, June 15, 2004