Name: Win32.Nimda.A@mm
Aliases: W32/Nimda.A
Type: File Infector & Internet Worm, written in Visual C language
Size: 57344 bytes
Risk: High
ITW: Yes
Description:
This virus comes through e-mail as an attached file, with the body of the mail apparently empty but which actually contains the code to use an exploit which will execute the virus when the user just view the message (if he is using Outlook or Outlook Express without latest Service Packs or patches from Microsoft). Once installed it copies itself in the system directory with the nameriched20.dll modifying itself to be loaded as a DLL
(Dinamically Link Library). This DLL is used by applications that work with Richedit Text Format such as Wordpad.
To be activated at every reboot, the virus modifies system.ini in the boot section, writing the following line:
shell=explorer.exe load.exe -dontrunold
The virus attaches a thread to explorer.exe to run its viral code.
To spread it uses MAPI (Mailing API) functions to read user\\\'s e-mails from where it extracts SMTP (Simple Mail Transfer Protocol) addresses and e-mail addresses.
Another method to spread is by using the Unicode Web Traversal exploit similar to CodeBlue. Information and a patch for this exploit are located at
http://www.microsoft.com/technet/sec...n/ms00-078.asp
Using this exploit the virus gets control of the execution flow on that server and download itself under the name admin.dll, then puts a HTML code in the web page hosted by the IIS server to download the virus. To do this it tries to modify the files with the name:
index, main, default
and with the extension one of:
.html
.htm
.asp
Also the virus enumerates the network resources visible to the infected computer and tries to copy in shared files or folders.
The virus is able to infect files by attaching the executable as a resource with raw data named f in the virus program. When the infected file is executed the virus takes over the control and executes the original file so the user doesn\\\'t notice anything. This is accomplished by dropping that f resource in a file with the same name as the original but with a space appended, followed by .exe.
The virus activates the user guest with no password and add it to the Administrator group. Also it creates a share for every root directory (from C to Z) with all access rights, and disables the proxy by modifying the keys:
HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Wind ows\\\\
CurrentVersion\\\\Internet Settings\\\\MigrateProxy 1
HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Wind ows\\\\
CurrentVersion\\\\Internet Settings\\\\ProxyEnable 0
HKEY_CURRENT_CONFIG\\\\Software\\\\Microsoft\\\\Wi ndows\\\\
CurrentVersion\\\\Internet Settings\\\\ProxyEnable 0
Leaving the library riched20.dll not deleted will reactivate the virus when a program using this library is executed.
As a signature the following text can be found in the file:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
Virus analysed by Costin Ionescu, Data Security Expert of SOFTWIN Antivirus Laboratory.
, ma nel log dice tipo così:
sul vostro computer questo significa che qualcuno accede al vostro server(win2000) remotamente, e quindi il computer potrebbe infettarsi nuovamente. Consigliamo di FORMATTARE TUTTO
e reinstallare le vostre applicazioni!
!!! quindi ce l'ho proprio dentro oramai da una decina di giorni!!!
Rispondi quotando
), non ho lo spazio per la paginazione ecc. NAV mi da errore nello scipt della pagina! io avevo settato c come sola lettura, ma forse ho sbagliato qualcosa e ora credo che sia irreversibile!!!! cmq non avevo ben capito come si eliminava, lì diceva di scaricare il tool e a me è il tool che non mi trova il virus! ad un c erto punto però mentre è in esecuzione e sitrova nella cartella winNt si blocca per 30/40 sec, non è che i bastardi possono disattivare anche il tool di rimozione???
