SecureData, an ERP.com company and the exclusive sub-Saharan distributor of Trend Micro is warning computer users of a fast-spreading worm known as PE_NIMDA.A (aliases: NIMDA.A,
W32/Nimda.A@mm
.)
This Trojan worm uses three modes for propagation. It spreads via e-mail, network shares, or through servers with IIS installed using the IIS Web Directory Traversal exploit. When spreading through mail, it typically arrives with the attachment readme.exe. It drops the file meXXXX.tmp.exe in the C:\Windows\Temp directory, which is an eml format mail. This temp file contains the file attachment sent by the worm.
Solution
1. This worm compromises the security of your file system by sharing your local drives to the network. Please check and remove these shares. You may opt to disable all your shared drives or limit the shares to give only READ access to all users since this worm may perpetually infiltrate your system through the shared drives.
2. In SYSTEM.INI change the line: Shell = explorer.exe load.exe -dontrunold To Shell = explorer.exe
3. Show all files in the View menu of explorer inside Windows. Delete load.exe and riched20.dll in the SYSTEM directory of Windows.
4. Delete the contents of Wininit.ini.
5. Scan your system with Trend Micro anti-virus and delete all files detected as PE_NIMDA.A. To do this Trend Micro customers must download the latest pattern file at www.sd.co.za and scan their system. Other e-mail users may use HouseCall, Trend Micro's free online virus scanner. Some infected files may be corrupted or contain only a pure strain of the worm. Delete these files.
6. The worm is using the Microsoft IE MIME Header Attachment Execution Vulnerability to drop e-mails. For an explanation and to download the patch, please visit Microsoft's Web site.
7. For IIS users, the worm also uses the Microsoft Web Server Folder Traversal vulnerability. An explanation and patch also is available at Microsoft's Web site.
8. Trend Micro recommends that customers also use Microsoft's Cumulative IIS patch.
For 24x7 assistance, please contact SecureData's toll-free Computer Virus Helpline on 080 802 8800.
Share