PE_NIMDA.A-O - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

PE_NIMDA.A-O

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Nimda (Kaspersky), W32/Nimda.gen@MM (McAfee), W32.Nimda.A@mm (dr) (Symantec), W32/Nimda (Avira), W32/Nimda-A (Sophos), Virus:Win32/Nimda.H@mm (Microsoft)

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:
This is a fast-spreading Internet worm and file infector in its pure and original form.

This file-infecting worm arrives as an embedded attachment, README.EXE file, in an email that has an empty message body and, usually, an empty subject field. It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.

The infected email contains the executable attachment registered as content-type of audio/x-wav so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.

More information about this vulnerability is available in the Microsoft article Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.

This worm has four modes of spreading: via email, via network shared drives, via unpatched IIS servers and via file infection.

Email Exploit

This worm executes its mailing routine perpetually in 10-day cycles. In rare instances, it may reactivate the cycle after 11 days. To do this, this worm stores a value computed from the current system time in a counter saved in the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\MapMail
Cache

When this worm is run, it checks this value to find whether 10 (or occasionally 11) days have passed. If so, it executes its email propagation routine and resets the counter to begin the cycle. To send copies of itself to others, this worm retrieves email addresses through the use of Messaging APIs or MAPI. It also gathers email addresses from .HTML and .HTM documents found in the folder referred to by the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folder
Cache

This worm stores email addresses in a linked list that it passes to its SMTP engine.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 10, 2001 2:49:00 AM GMT -0800
Description updated: Oct. 10, 2001 9:20:17 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.