Symantec Security Response - W32.Nimda.D@mmSymantec Security Response
http://securityresponse.symantec.com
W32.Nimda.D@mm
Discovered on: October 29, 2001
Last Updated on: October 29, 2001 at 07:00:35 AM PST
W32.Nimda.D@mm is an new version of W32.Nimda.A@mm that contains bug-fixes
and
modifications to avoid previous anti-virus detection.
This worm is similar in functionality to W32.Nimda.A@mm. Differences include
the
modification of filenames used by the worm.
The attachment received has been changed to sample.exe
The dropped DLL file is now httpodbc.dll
The worm now copies itself to the Windows System directory as csrss.exe
instead of mmc.exe
Infected HTML files are already detected as W32.Nimda.A@mm (html)
Type: Virus, Worm
Virus Definitions: October 29, 2001
Threat Assessment:
Wild:
Low Damage:
Medium Distribution:
High
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Damage:
Payload:
Large scale e-mailing: Emails itself out as sample.exe
Degrades performance: May cause system slowdown
Compromises security settings: Creates open network shares
Distribution:
Name of attachment: sample.exe (this file may not be visible)
Shared drives: Infects open network shares
Target of infection: Specifically attempts to infect unpatched IIS servers
Write-up by: Eric Chien
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
