Magistr

The Nimda virus

BadTrans
Il virus Nimda O vírus Nimda Der virus Nimda Le virus Nimda El virus Nimda

Introduction to the Nimda virus

Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread:

  • The web
  • Shared folders
  • Microsoft IIS security holes
  • File transfer

At particular risk are users of Microsoft Outlook in Windows 95, 98, Millenium, NT4, and 2000.

What the virus does

The Nimda worm retrieves the list of addresses found in the address books of Microsoft Outlook and Eudora, as well as email addresses contained in HTML files found on the infected machine's hard drive.

Next, the Nimda virus sends all of these recipients an email with an empty body and a subject chosen at random (and often very long). It adds to the message an attachment named Readme.exe or Readme.eml (file containing an executable). The viruses use an .eml extension to exploit a security flaw in Microsoft Internet Explorer 5.

What's more, in Microsoft Windows the Nimda virus can spread over shared network folders, infecting executable files found there.

Viewing Web pages on servers infected by the Nimda virus may lead to infection when a user views pages with the vulnerable Microsoft Internet Explorer 5 browser.

The Nimda virus is also capable of taking control of a Microsoft IIS (Internet Information Server) Web server, by exploiting certain security holes.

Finally, the virus infects executable files found on the contaminated machine, meaning that it can also spread by file transfers.

Symptoms of infection

Workstations infected by the BadTrans worm will have the following file on their hard drive:

  • README.EXE
  • README.EML
  • files with the extension .NWS
  • files with a name like mep*.tmp, mep*.tmp.exe (for example mepE002.tmp.exe)

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

To eradicate the Nimda virus, the best method involves first disconnecting the infected machine from the network, then using up-to-date antivirus software or the Symantec virus removal tool (preferrably restarting the computer in safe mode):
Download the virus removal tool

What's more, the virus can spread using a security hole in Microsoft Internet Explorer, which means that you may catch the virus by visiting an infected site. To fix it, you must download the patch for Microsoft Internet Explorer 5.01 and 5.5. Please check the version of your browser, and download the patch if need be:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

More information about the virus



Last update on Thursday October 16, 2008 02:43:16 PM.This document entitled « The Nimda virus » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.
Best answers for « The Nimda virus » in :
The LovSan/Blaster virus Show Introduction to the LovSan virus Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first...
Viruses - Introduction to viruses Show Virus A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: « Any computer...
Utilities for Removing Common Viruses and Worms Show What is a virus removal tool? A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a...
[Virus] System Volume Information Show[Virus] System Volume Information The System Volume Information folder is used by Windows XP for storing data on system configuration and is also used by the System Restore tool to store information and restore points. Restore points...
How to remove the virus CONFICKER / DOWNADUP / KIDO? ShowHow to remove the virus CONFICKER / DOWNADUP / KIDO What is the Conficker? How to avoid being infected by Conficker? Disinfect a computer affected by Conficker Preliminary Remove infection What is the Conficker? Conficker (also...
The First Steps to Virus/Spyware/Adware Removal ShowThe First Steps to Virus/Spyware/Adware Removal Step 1: Delete Temporary Files How to delete Temporary Files? How to delete Temporary Internet Files? Step 2: Get a good all in one Antivirus/Anti Spyware/ Anti Adware...
Download Clean Virus MSN ShowViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger....
Download Kaspersky Anti-Virus for Mac Show
Download McAfee Virusscan ShowWould you like to have a robust protect against viruses? McAfee Virusscan can protect your computer from virus. McAfee Virusscan is a powerful antivirus allowing to protect your PC from malware and viruses. Since it scans your downloads from...
The Bad Trans virus ShowIntroduction to the BadTrans virus The BadTrans virus (code name W32.BadTrans.B or W32/Badtrans-B) is a worm which spreads by e-mail. It also uses another method to spread: Microsoft Internet Explorer security flaws The BadTrans.B virus...
They need your help