The Nimda virus

Next BadTrans

Introduction to the Nimda virus

Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread:

The web
Shared folders
Microsoft IIS security holes
File transfer

At particular risk are users of Microsoft Outlook in Windows 95, 98, Millenium, NT4, and 2000.

What the virus does

The Nimda worm retrieves the list of addresses found in the address books of Microsoft Outlook and Eudora, as well as email addresses contained in HTML files found on the infected machine's hard drive.

Next, the Nimda virus sends all of these recipients an email with an empty body and a subject chosen at random (and often very long). It adds to the message an attachment named Readme.exe or Readme.eml (file containing an executable). The viruses use an .eml extension to exploit a security flaw in Microsoft Internet Explorer 5.

What's more, in Microsoft Windows the Nimda virus can spread over shared network folders, infecting executable files found there.

Viewing Web pages on servers infected by the Nimda virus may lead to infection when a user views pages with the vulnerable Microsoft Internet Explorer 5 browser.

The Nimda virus is also capable of taking control of a Microsoft IIS (Internet Information Server) Web server, by exploiting certain security holes.

Finally, the virus infects executable files found on the contaminated machine, meaning that it can also spread by file transfers.

Symptoms of infection

Workstations infected by the BadTrans worm will have the following file on their hard drive:

README.EXE
README.EML
files with the extension .NWS
files with a name like mep*.tmp, mep*.tmp.exe (for example mepE002.tmp.exe)

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

To eradicate the Nimda virus, the best method involves first disconnecting the infected machine from the network, then using up-to-date antivirus software or the Symantec virus removal tool (preferrably restarting the computer in safe mode):
Download the virus removal tool

What's more, the virus can spread using a security hole in Microsoft Internet Explorer, which means that you may catch the virus by visiting an infected site. To fix it, you must download the patch for Microsoft Internet Explorer 5.01 and 5.5. Please check the version of your browser, and download the patch if need be:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

More information about the virus

Last update on Thursday October 16, 2008 02:43:16 PM.

Previous Magistr

Next BadTrans

Utilities for Removing Common Viruses and Worms What is a virus removal tool? A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a... en.kioskea.net/contents/virus/desinfection.php3

Virus Removal pack for W32.Beagle@mm Virus Removal pack for W32.Beagle@mm Variants: Removal Packs: There are various virus removal packs available, to handle the following variants of the W32.Beagle@mm virus also named Win32.Bagle : Variants: W32.Beagle.A@mm... en.kioskea.net/faq/sujet-681-virus-removal-pack-for-w32-beagle-mm

Viruses - Introduction to viruses Virus A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: « Any computer... en.kioskea.net/contents/virus/virus.php3

Results for The Nimda virus

How to remove the virus CONFICKER / DOWNADUP / KIDO?How to remove the virus CONFICKER / DOWNADUP / KIDO What is the Conficker? How to avoid being infected by Conficker? Disinfect a computer affected by Conficker Preliminary Remove infection What is the Conficker? Conficker (also... en.kioskea.net/faq/sujet-2035-how-to-remove-the-virus-conficker-downadup-kido

[Virus] System Volume Information[Virus] System Volume Information The System Volume Information folder is used by Windows XP for storing data on system configuration and is also used by the System Restore tool to store information and restore points. Restore points... en.kioskea.net/faq/sujet-750-virus-system-volume-information

The First Steps to Virus/Spyware/Adware RemovalThe First Steps to Virus/Spyware/Adware Removal Step 1: Delete Temporary Files How to delete Temporary Files? How to delete Temporary Internet Files? Step 2: Get a good all in one Antivirus/Anti Spyware/ Anti Adware... en.kioskea.net/faq/sujet-205-the-first-steps-to-virus-spyware-adware-removal

Results for The Nimda virus

New Virus Hijacks Browser & Disables Update (Solved)Hello,I am writing to express gratitude for Morphine on this forum for solving my problem. This invasive "virus/malware/painintheass" seems to be diffrent on every machine and it may take several tries to find the solution as I discovered. I also... en.kioskea.net/forum/affich-66315-new-virus-hijacks-browser-disables-update

How to delete virus "autorun.inf" for suHello, To whom who might help me (Mr. Ali ?) It seems that I have succeeded to get rid of virus "autorun.inf" by downloading, updating, and running AVG 8.0. But I can still not open hidden files or folders, and I can still not open my C or D drive... en.kioskea.net/forum/affich-22846-how-to-delete-virus-autorun-inf-for-su

System security 2009 virusHello, i have the system security2009 virus on my pc. how can i remove it? it wont let access my anti-virus program or even the task manager. en.kioskea.net/forum/affich-97591-system-security-2009-virus

Results for The Nimda virus

Download Clean Virus MSNViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger.... en.kioskea.net/telecharger/telecharger-992-clean-virus-msn

Download Clean Virus MSNThe viruses meet henceforth a little everywhere on the Net by all the conceivable means. After the emails virus diseases, now they attack with the instant messaging. Clean Virus MSN is a tool which automatically detects the viruses which circulate on... en.kioskea.net/telecharger/telecharger-1438-clean-virus-msn

Results for The Nimda virus

CA Anti-Virus r8.1 - 5 Users - Upgrade from any previous version of eTrust Antivirusr 8.1, UPG CA ANTI-VIRUS 5 USER U8.1 F/ANY VERS ETRUST ANTIVIRUS IN en.kioskea.net/guide/509552663-ca-anti-virus-r8-1-5-users-upgrade-from-any-previous-version-of-etrust-antivirus

CA Anti-Virus r8.1 - 1 User - Includes Antivirus protection for the Desktop, Server, Gateway, Groupwr 8.1, CA ANTI-VIRUS 1 USER V8.1 IN en.kioskea.net/guide/612002586-ca-anti-virus-r8-1-1-user-includes-antivirus-protection-for-the-desktop-server-gateway-groupware-and-pocketpc

INTEGO VirusBarrier X5 Dual Protection - W/ Intego NetBarrier X5 - licence - 1 user - MacX 5, Since Mac users can run Windows on a Mac with today's Intel-based Macs, they are vulnerable to a whole range of security threats: viruses, spyware, adware and hackers are all waiting to compromise their Windows installation. When Windows is run... en.kioskea.net/guide/631181651-intego-virusbarrier-x5-dual-protection-w-intego-netbarrier-x5-licence-1-user-mac

Results for The Nimda virus

Koobface virus making rounds on Facebook: McAfeeA new variant of a virus known as Koobface is making the rounds on the Facebook social network, a security software firm warned this week. A new variant of a virus known as Koobface is making the rounds on the Facebook social network, a security... en.kioskea.net/actualites/koobface-virus-making-rounds-on-facebook-mcafee-11036-actualite.php3

Microsoft to offer free anti-virus softwareMicrosoft has announced plans to offer free anti-virus software to PC users starting next year. Microsoft has announced plans to offer free anti-virus software to PC users starting next year. The Redmond, Washington-based software giant said the... en.kioskea.net/actualites/microsoft-to-offer-free-anti-virus-software-10959-actualite.php3

Results for The Nimda virus

The LovSan/Blaster virusIntroduction to the LovSan virus Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first... en.kioskea.net/contents/virus/lovsan-blaster.php3

The Bad Trans virusIntroduction to the BadTrans virus The BadTrans virus (code name W32.BadTrans.B or W32/Badtrans-B) is a worm which spreads by e-mail. It also uses another method to spread: Microsoft Internet Explorer security flaws The BadTrans.B virus... en.kioskea.net/contents/virus/badtrans.php3

Results for The Nimda virus