Sybari Reports Nimda as High Risk Worm


E. Northport, NY (September 18, 2001) — Sybari Software, Inc., the premier developer of Antigen, a comprehensive antivirus, content-management, and e-mail security solution for Microsoft Exchange and Lotus Domino/Notes environments, today reports that the e-mail virus known as either “W32/Nimda-A” or “W32/Nimda-mm” has been raised to a high risk virus. Antigen’s Worm Purge and File Filtering features will continue to score high-marks with IT administrators and their organizations.

“Our users stand protected against this virus with Antigen Worm Purgeâ„?,” said Tom Buoniello, vice president of product management for Sybari Software, Inc. “By enabling Worm Purge and updating to the latest antivirus signature files, administrators can depend on Antigen to automatically purge all e-mail messages carrying this high-risk worm,” continued Buoniello.

As with Antigen File Filtering (AFF) technology, which enables administrators to filter e-mail attachments by filename, wildcards, and by file type, Antigen Worm Purgeâ„? is designed to be a proactive tool to prevent new worm threats from spreading before scan engines are updated. Attachment names for worm generated messages can also be placed in the File Filter list under the File Filtering panel for purging as they enter or exit the message stream.



E-mail Characteristics :


E-mail Subject:


E-mail Body:


Attachment Names:


Description :

W32/Nimda-A is a Windows 32 virus which spreads via email, network shares and websites. Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to “hidden”), and attempts to spread itself to other users via network shares. The virus alters the System.ini file to include the line: “shell=explorer.exe load.exe -dontrunold” so that it executes on Windows startup, and also includes the text “Copyright 2001 R.P.China”.


As mentioned, spreads via email, network shares and websites. The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from the Unicode Directory Traversal vulnerability. It attempts to alter the contents of pages on such servers, hunting for the following filenames: index.html, index.htm, index.asp, readme.html, readme.htm, readme.asp, main.html, main.htm, main.asp, default.html, default.htm, default.asp.

If it finds one of the above files on the web server the virus attempts to alter the contents of the file, adding a section of malicious Javascript code to the end of the file. If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user’s computer – which is then executed, forwarding the virus once more.

Tom Buoniello, Vice President of Product Management for Sybari Software, Inc. is available today to discuss this latest worm virus, providing insight on: · What could have been done to prevent the spread of this virus. · How companies can protect themselves from viruses prior to virus definitions being available. · What companies should do if their networks are or become infected. · What other kinds of intrusions are likely to strike corporations.

If transferring these types of files is not part of your day-to-day business, Sybari recommends that you create a file filter rule for all files that end with the extensions .exe. Currently, Sybari has not reported any outbreaks. To protect your environment from this new variant, and for information on other variants, please add the Sybari website: to your browser Favorites.


Since 1995, Sybari has the led the market in providing innovative solutions to groupware-based virus and security threats. Today, over 5 million Microsoft Exchange/Outlook and Lotus Domino/Notes seats are virus-free as a direct result of Sybari’s Antigen technology. Sybari’s Antigen is unsurpassed in providing protection of corporate messaging environments. Antigen’s unique architecture institutes a preemptive line of defense from viruses and malicious code. Antigen for Microsoft Exchange and Antigen for Lotus Domino are distributed in more than 50 countries through Sybari’s worldwide locations and distribution network. Sybari is headquartered in East. Northport, New York with an EMEA headquarters in Madrid, Spain and an Asia Pacific Headquarters in Singapore. Sybari’s clients include IBM,, Cable & Wireless, Compaq, Con Edison, Dell, Deloitte & Touche, Eastman Chemical, Getronics, JD Power, Lufthansa, Mayo Foundation, Merrill Lynch, Nortel, Pirelli, Reckitt Benckiser, Sony, Target, Texaco, Tosco, Union Pacific, US Federal Government, and Visa. Sybari’s many strategic partners include Lotus Development (NYSE:IBM), Microsoft (NASDAQ:MSFT), Computer Associates (NYSE:CA), Compaq (NYSE:CPQ), and Sun Microsystems (NASDAQ:SUNW).

Don't miss