PE_NIMDA.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

PE_NIMDA.A

Overview

Solution

Technical Details

Malware type: File Infector

Aliases: Net-Worm.Win32.Nimda (Kaspersky), W32/Nimda.gen@MM (McAfee), W32.Nimda.A@mm (Symantec), W32/Nimda (Avira), W32/Nimda-A (Sophos), Virus:Win32/Nimda.H@mm (Microsoft)

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This is Trend Micro's detection for files infected with the original viral code of a fast-spreading Internet worm and file infector PE_NIMDA.A-O.

This virus arrives as an embedded attachment, README.EXE, in an email that has an empty message body and, usually, an empty subject field. It does not require the recipient of the email to open the attachment for it to execute. It exploits a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This vulnerability is known as Automatic Execution of Embedded MIME type.

The infected email contains the executable attachment registered as content-type of audio/x-wav so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.

More information about this vulnerability is available at Microsoft�s Security Bulletin.

It has four modes of spreading: via email, via network shared drives, via unpatched IIS servers and via file infection.

For additional information on the NIMDA worm, and suggestions for preventing future infections, you may also visit Microsoft's NIMDA Information page.

Email Exploit

The email sending routine is perpetually done in 10-day cycles. In rare instances, the worm�s email routine may be reactivated after 11 days. To do this, the worm stores a value computed from the current system time in a counter saved in the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\MapMail
Cache

When the worm is run, it checks this value to find whether 10 (or occasionally 11) days have passed. If so, it executes its email propagation routine and resets the counter to begin the 10-day countdown. To send copies of itself, this worm retrieves email addresses through the use of Messaging APIs or MAPI. It also gathers email addresses from .HTML and .HTM documents found in the folder referred to by the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folder
Cache

The email addresses are stored in a linked list that is passed to an SMTP engine in the virus code that sends the unsolicited email.

More information about this worm may be found at the Technical Details section.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 18, 2001 10:56:00 AM GMT -0800
Description updated: Oct. 2, 2001 10:35:46 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.