LOS ANGELES, CA — (INTERNET WIRE) — 19-09-2001 — Faithful to its policy to provide users with a complete service and due to the increasing propagation speed of the worm W32/Nimda.A@mm (alias Nimda), Panda Software has just released the antidote that will enable users to update their antivirus programs. Once the antivirus software is updated users will be safe from this new threat.
W32/Nimda.A@mm (alias Nimda) is a dangerous mass-mailing worm that runs automatically when the message that contains it is viewed through the preview pane. It spreads by e-mail by means of a vulnerability in Internet Explorer 5 and the e-mail clients Outlook y Outlook Express. This vulnerability was discovered by Juan Carlos Garc?Âa Cuartango.
The vulnerability has two main characteristics: on the one hand, it uses HTML code, which generates a frame. On the other hand, it uses an attachment coded in Base64, marked as audio/x-wav. Both actions manage to trick the Internet Explorer component that offers browser services to Microsoft’s e-mail clients. In fact, the worm manages to pass off as an audio file that must be automatically run when the message is opened.
Means of infection
Infection will occur once the user opens the message or views it through the preview pane. The reason for this lies in the fact that the e-mail client takes for granted that the attachment is an audio file, which should be played automatically. In addition, it sends itself out by e-mail by establishing connections to the Internet through SMTP commands. To obtain the victim’s e-mail addresses, it logs into the e-mail system through SimpleMAPI and then goes through the messages in search of e-mail addresses.
In addition, it is interesting to mention that the message body contains the following text string, which refers to its alleged origin: “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China”
Once the user receives the message and gets infected, if the system installed is Windows 9x, the virus copies itself to the Windows\System folder with the following name and hidden attributes: LOAD.EXE. Additionally, the worm modifies the file SYSTEM.INI by adding line shown below. This way, the worm manages to ensure its execution every time the system is started: Shell=explorer.exe load.exe -dontrunold
Next, it copies a file with hidden attributes called riched20.dll to the Windows\System folder. This way, it manages to launch the virus every time an application using that DLL (Wordpad, for instance) is run.
On the other hand, if the system installed is Windows NT or Windows 2000, the worm creates the file LOAD.EXE in the Winnt\System32 folder. Then, it creates a user called guest and proceeds to include it in the local administrators group. Next, it goes on to log in as such user and shares drive C: as C$.
Additionally, this worm uses another IIS vulnerability to alter the contents of the pages listed below in such a way, that if any user should attempt to view them, the code altered by the virus goes on to open a file called readme.eml (a format used by Outlook Express’s e-mail messages). This file contains the virus code. The pages are the following:
index.html index.asp readme.htm main.html main.asp default.htm
index.htm readme.html readme.asp main.htm default.html default.asp
In this case, if the Internet Explorer browser should have any of the vulnerabilities previously mentioned it will immediately open the file readme.exe, which is attached to the message readme.eml.
It is important to note that a system with the Internet Explorer vulnerability mentioned above will run infected .eml files automatically, whenever the option “Enable all web-related content on my desktop” is checked. This is no doubt the most outstanding action carried out by this vulnerability.
Detection and disinfection
Panda Software advises users to take all necessary precautions to protect their computers from this new and dangerous virus:
– Update your antivirus before opening the e-mail client. At present, Panda Software offers the corresponding vaccine for this virus in all the security solutions provided by the company. Once the antivirus has been updated, all e-mail messages and file systems must be scanned.
– Set Internet Explorer’s security to its maximum level.
– Update the IIS server. www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp for Microsoft IIS 4.0 and www.microsoft.com/windows2000/downloads/critical/q269862/default.asp for Microsoft IIS 5.0.
– Make sure to check the option “Use Windows classic desktop” rather than “Enable all web- related content on my desktop” in Windows Explorer (Folder options).This will prevent infected .eml files from running automatically just by clicking on them.
– Additionally, you can check if your computer has been infected by this worm and even neutralize this worm with our free of charge on-line antivirus: Panda ActiveScan.
About Panda Software’s virus laboratory
On receiving a possibly infected file, Panda Software’s technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include disassembly, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and distributed to users within next 24 hours.