W32/Nimda is an Internet worm, which can send itself in email attachment, as a mass mailer .
Subject: random text.
Body: usually empty.
Attachments: the attachment is named README.EXE, but the .EXE extension is usually hidden. Sometimes, the attachment's extension can be .COM .WAV. If Outlook or Outlook Express is used, the attachment is not previewed.
If README.EXE is automatically opened, or double-clicked, the worm copies itself in Windows temp directory. It creates a file with a variable name of type MEvariable.TMP.EXE. This file is opened and then deleted by system start under Windows 9x/ME. Then, the worm copies itself in Windows and System directories, as:
It overwrites the existing files with the same names. LOAD.EXE file is inserted in SYSTEM.INI. The worm will be automatically activated by the next system start:
SHELL=exploerer.exe load.exe -dontrunold
Some minutes later, the worm creates a number of .EML (email) or .NWS (newsgroup postings) files in all Windows subdirectories. These files contain the worm itself. If the worm has access to network drives, it copies itself on those, too, as .EML or .NWS files in subdirectories.
Then, the worm resets the Windows Explorer settings to their standard values. After this change, there will be no more "hidden" or "system" files shown. The extensions of known programs are also hidden.
If there is a connection to the Internet, Nimda tries to download a file named ADMIN.DLL using FTP. Under NT, the worm tries to log as guest on the system and to give to this account administrative access rights. This way, the drive C:\ will not be restricted for reading and writing.
The worm deletes all registration keys in:
If the worm is activated on a IIS web server, it creates a file named README.EML. When this file is automatically opened (by opening a website), a Java script is created in the following files: Index.html Index.htm Index.asp Readme.html Readme.htm Readme.asp Main.html Main.htm Main.asp Default.html Default.htm Default.asp.
If one of the above modified sites is opened, the Java script is launched. The browser loads the README.EML file from the local computer. According to security settings, some browsers automatically open the attachment README.EXE.
説明の挿入者 Crony Walker の 2004年6月15日火曜日