需要修復電腦?
聘請專家
Alias:W32/Nimda.gen@MM
Type:Worm 
Size:57.344 Bytes 
Origin: 
Date:09-18-2001 
Damage:W32/Nimda is an Internet worm, which can send itself in email attachment, as a mass mailer . 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:Medium 

DistributionSubject: random text.
Body: usually empty.
Attachments: the attachment is named README.EXE, but the .EXE extension is usually hidden. Sometimes, the attachment's extension can be .COM .WAV. If Outlook or Outlook Express is used, the attachment is not previewed.

Technical DetailsIf README.EXE is automatically opened, or double-clicked, the worm copies itself in Windows temp directory. It creates a file with a variable name of type MEvariable.TMP.EXE. This file is opened and then deleted by system start under Windows 9x/ME. Then, the worm copies itself in Windows and System directories, as:

WINDOWS\LOAD.EXE
WINDOWS\RICHED20.DLL
WINDOWS\SYSTEM\RICHED20.DLL
WINDOWS\SHELLNEW\RICHED20.DLL
It overwrites the existing files with the same names. LOAD.EXE file is inserted in SYSTEM.INI. The worm will be automatically activated by the next system start:

SHELL=exploerer.exe load.exe -dontrunold

Some minutes later, the worm creates a number of .EML (email) or .NWS (newsgroup postings) files in all Windows subdirectories. These files contain the worm itself. If the worm has access to network drives, it copies itself on those, too, as .EML or .NWS files in subdirectories.

Then, the worm resets the Windows Explorer settings to their standard values. After this change, there will be no more "hidden" or "system" files shown. The extensions of known programs are also hidden.

If there is a connection to the Internet, Nimda tries to download a file named ADMIN.DLL using FTP. Under NT, the worm tries to log as guest on the system and to give to this account administrative access rights. This way, the drive C:\ will not be restricted for reading and writing.

The worm deletes all registration keys in:

\System\CurrentControlSet\Services\Ianmanserver\Shares\Security

If the worm is activated on a IIS web server, it creates a file named README.EML. When this file is automatically opened (by opening a website), a Java script is created in the following files: Index.html Index.htm Index.asp Readme.html Readme.htm Readme.asp Main.html Main.htm Main.asp Default.html Default.htm Default.asp.
If one of the above modified sites is opened, the Java script is launched. The browser loads the README.EML file from the local computer. According to security settings, some browsers automatically open the attachment README.EXE.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二

返回 . . . .
https:// 為了你的安全,此視窗已加密。