W32.Nimda.A@mm

[Danrak]

Also known as: W32/Minda@MM

W32.Nimda.A@mm is a new mass-mailing worm that utilizes email to
propagate itself. The threat arrives as a file named readme.exe in an
email.

In addition, the worm sends out probes to Microsoft IIS servers
attempting to spread itself by using the Unicode Web Traversal
exploit similar to W32.BlueCode.Worm. Compromised servers may display
a webpage prompting a visitor to download an Outlook file which
contains the worm as an attachment.

Also, the worm will create an open network share allowing access to
the system. The worm will also attempt to spread via open network
shares.


For information:
http://www.symantec.com/avcenter/[email protected]
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209

[SavagePenguin]

This thing took out our web server and a couple workstations.

I was able to remove a lot of infected/replaced files based on the info at SARC.com on one workstation, which seemed to halt the virus. I did this on the boss' computer. Then she logged ontot he network and she's infected again. $#!T

McAfee has a fix, but I had to refresh for a few minutes to even view the page. Unfortunately we use Norton Antivirus, which does not have a fix yet.

Anybody stumble upon directions for removing the virus? I tinkered on the boss' computer for an hour and had to reinstall Windows once. I don't want to do that again.

[Danrak]

My works webservers got infected. They gave up and just formated and reloaded I think. Not much help, but there doesn't seem to be much of a fix. I think they are going back to NT 4 though. Luckly I use an outside hosting company (using Linux) for my sites.

I was very shocked though that no one has mentioned it here before I did. It seems to be spreading extremely quick.

[This message has been edited by Danrak (edited September 18, 2001).]

[SavagePenguin]

Here's what I did to (supposedly) stop the virus on the workstations. I make no guarantees. Our computers are still f'd up, but they don't seem to be reproducing the virus anymore.

Disclaimer: This might damage your DATA or PC so follow these steps at your own risk.

First physically unplug from the network. I kept getting infected form other computers. You'll have to do a lot of this from Safe Mode too now that I think about it.

#1 The virus is "load.exe". It's default location is c:\windows\system but that can change. Find it and delete it.

#2 Load.exe is run in the system.ini. Remove the "shell =explore.exe load.exe -dontrunold" line form the system.ini.

#3 I think the Norton's site said that the virus replaces your riched.dll. Delete it if it's been modified recently, and replace it with a clean one.

#4 The virus makes a bajillion copies of itself as *.eml and *.nws files. Delete all *.eml and *.nws files created since your infection.

#5 The virus makes a lot of fake TMP files in your windows temp folder. So search your temp folder for *.exe files and delete all the ones that start with MEP. Heck, delete everything that has been created since your infection date.

#6 Search your computer for all EXE files. Some will have been modified since the infection. I had some, and hadn't installed anything recently, so I deleted the mo-fo's.

#7 Look for shortcuts to *.eml and *.nws files on your desktop, start bar, and start menu. Delete'em.

#8 Pray pray pray.

If you reboot, do a seach on *.eml files, and find a thousand new ones you're still infected and I forgot to tell you something.

I'm afraid that we might have to format and reinstall from backup. Argh!

Again, I make no promises. It *seems* to have stopped the computers producing the *eml files, so I assume the virus has been stopped.

[RIOT]

Norton's "fix" is running anti-virus repairing or deleting all found virus/infected files, and then rebooting. Repeat until nothing shows up. Then change "shell = explorer.exe load.exe -dontrunold" to "shell = explorer" in the system.ini file. Then make sure you can see all hidden files. Edit the wininit.ini file so that there is nothing left in it (delete every line). Reboot.

Only thing is that the computers get infected again after you do all that!!!

------------------

[Darren Wilson]

What I am surprised that nobody has mentioned yet is that if you have IE5.5 SP2 or IE6 installed, the Worm cannot infect.

------------------
FINALLY, Rocco HAS COME BACK to Win-Driverssssss......
Let the Boobies hit the floor

[mpeton]

BTW, I've noticed that the computers that get infected with this virus, sometimes have problems with Microsoft Word. When the level of infection reaches the point of the system.ini being edited ("Shell = explorer.exe load.exe -dontload")(You have to delete the "load.exe -dontload" part) Then Word becomes corrupted, and won't do simple things such as opening a file from inside Word. A simple repair will fix this problem. Note, this is with Office 2000

------------------
"I only know that I can change. Everything else just stays the same." -Staind, Fade
"So now the waves they have subsided. And my soul is bleeding. I can't take away all the shame I feel, forgive me." -Staind, Change
"I am nothing more than a little boy inside. That cries out for attention, though I always try to hide." "I'll do the right thing if the right thing is revealed. But it's always raining in my head" -Staind, Epiphany

[MacGyver]

Our Seattle office was getting hammered by this one this morning. Couldn't figure out what the heck it was. Thanks for mentioning the EML files or we'd be reinstalling Windows on a lot of workstations right now.

------------------
I help others in the name of my Lord, Jesus Christ.

[rdbatch]

Network Associates has changed their website around, cause of this nimda virus. On the main page there is a link to information about the virus. There is a stand-alone removal tool that is available for download on their site. I have downloaded the file, just haven't had a chance to try it on any of the infected machines yet, I know there has be be several of them in the office. I just scanned my supervisors computer and it had well over 100 files infected.

[Deity]

I've been having a fun few days trying to deal with this. Two of our web servers dropped, as well as our email server. About 25% of our workstations were infected throughout the WAN. Our ISP was hammered to the point that four of our offices could not connect though our VPN setup. We are just now getting control over the situation.

Maybe now the boss will pull his head out of his a$$ and invest in some virus software. Until now, he had no desire to put money into preventative measures.

Yeah, it's been a fun few days.

------------------
And for days we survived on nothing but food and water...

[Deity]

McAfee's website has some good information on the virus. SavagePenguin also has some good details in the description. Using their suggestions I am able to clean out all the systems.


Step 1: Find and delete all .eml and .nws files. On a fully infected system they will actually appear in every folder on the HDD.

Step 2: Disconnect all newtork shares. The virus is able to spread through any network share. If it gets into the system through email or web pages it actually creates administrative shares on all drives allowing the virus to spread this way. I've seen several of our system will all the drives shared.

Step 3: Download and install the patches for IE. As Darren said, IE 5.5 SP2, IE 6 are no longer vulnerable to the auto-execute problem that Outlook and Outlook Express presented. For the NT and 2000 systems, download the latest patch for IIS if you use it. All the links to patches are on McAfee's site under the Nimda description.

Step 4: Run the latest version of your virus scanning software(we are currently using Norton 2001 as it was the only thing we had available at the moment. I've tested Norton and InocluateIT PE and both work fine) I assume McAfee works as well. This method has fixed the systems 100% of the time in our office.

Hope this helps some of you out there.

------------------
And for days we survived on nothing but food and water...

[This message has been edited by Deity (edited September 20, 2001).]

[Deity]

The virus also attaches itself to any .asp .htm and .html files. Be sure to check you sites. Our ISP that hosts our company website insisted that they cleaned the server thoroughly yet, when we visit the site we get a warning about the virus. After isolating and examining the html, we found a small javascript entry appended to the html code that basically opened teh virus through the web browser in a new document window. So even though the ISP claimed the server was clean, it obviously was NOT.

------------------
And for days we survived on nothing but food and water...

[SOBER]

Hey Mpeton, you said there is a simple fix for the WORD problems. What is it?

All the users on my network that are infected are getting out of memory errors with just about anything they try to do in word (save or print, etc..)

Please tell me this simple fix so that I don't have to uninstall and reinstall 5-10 Office 2k's.

[SOBER]

Hey guys I found a solution that solves MANY problems.

I just asked about WORD2k problems and the same user had a problem with outlook crashing everytime I opened it. Even after the virus was cleared.

Anyways I took a clean copy of riched20.dll and put it in the windows/system folder on the users machine and now OUTLOOK, WORD and several other things that weren't working, ARE!


THe riched.dll I used from my computer is 416k and I replaced the infected one on the users machine which was only 78k.


More info as I get it....

[Deity]

The riched20.dll file controls the rich text boxes that are commonly used in Microsoft Word and WordPad. One of the key features of the virus is to replace this file and put several copies of the new riched20.dll throughout the HDD. The other files it will modify include load.exe, and .asp, .htm, and .html file, as well as any file named index, main, or default.

Files to watch for include: admin.dll, load.exe, mmc.exe(Win2K), readme.exe, riched20.dll, and mep*.tmp.exe

------------------
And for days we survived on nothing but food and water...