Sectors
Companies
About
Subscribe
  • Home
  • /
  • Malware
  • /
  • Virus alert from SecureData: High-risk virus assessment on PE.NIMDA.A

Virus alert from SecureData: High-risk virus assessment on PE.NIMDA.A

Issued by SecureData
Johannesburg, 18 Sep 2001

SecureData, an ERP.com company and the exclusive sub-Saharan distributor of Trend Micro is warning computer users of a fast-spreading worm known as PE_NIMDA.A (aliases: NIMDA.A,

W32/Nimda.A@mm

.)

This Trojan worm uses three modes for propagation. It spreads via e-mail, network shares, or through servers with IIS installed using the IIS Web Directory Traversal exploit. When spreading through mail, it typically arrives with the attachment readme.exe. It drops the file meXXXX.tmp.exe in the C:\Windows\Temp directory, which is an eml format mail. This temp file contains the file attachment sent by the worm.

Solution

1. This worm compromises the security of your file system by sharing your local drives to the network. Please check and remove these shares. You may opt to disable all your shared drives or limit the shares to give only READ access to all users since this worm may perpetually infiltrate your system through the shared drives.

2. In SYSTEM.INI change the line: Shell = explorer.exe load.exe -dontrunold To Shell = explorer.exe

3. Show all files in the View menu of explorer inside Windows. Delete load.exe and riched20.dll in the SYSTEM directory of Windows.

4. Delete the contents of Wininit.ini.

5. Scan your system with Trend Micro anti-virus and delete all files detected as PE_NIMDA.A. To do this Trend Micro customers must download the latest pattern file at www.sd.co.za and scan their system. Other e-mail users may use HouseCall, Trend Micro's free online virus scanner. Some infected files may be corrupted or contain only a pure strain of the worm. Delete these files.

6. The worm is using the Microsoft IE MIME Header Attachment Execution Vulnerability to drop e-mails. For an explanation and to download the patch, please visit Microsoft's Web site.

7. For IIS users, the worm also uses the Microsoft Web Server Folder Traversal vulnerability. An explanation and patch also is available at Microsoft's Web site.

8. Trend Micro recommends that customers also use Microsoft's Cumulative IIS patch.

For 24x7 assistance, please contact SecureData's toll-free Computer Virus Helpline on 080 802 8800.

Share

SecureData

 

SecureData, an ERP.com company, is a Managed Security Service Provider. SecureData is the exclusive sub-Saharan distributor of Trend Micro, providing enterprise-wide, centrally managed, server-based, virus protection, e-mail filtering and Internet filtering products and services.

Concern about Internet safety has created a vigorous and growing market for content security products and services. Today, e-mail attachments account for over 50% of virus infections, and Web-based malicious mobile code (vandals) is widely thought to be the predominant content threat of the near future.

SecureData brings sub-Saharan Africa the tools that build anti-virus and content security protection into the Internet and Mail/Groupware infrastructure.

Editorial contacts

Wayne Biehn
SecureData
083 377 5318
Cherilyn Lang
SecureData
+27 11 257 8612
cherilynll@sd.co.za