|
NIMDA-ZILLA!
This One is a Monster - PE_NIMDA.A (High
Risk)
This worm uses
three modes for propagation. It spreads via email, network shares, or through
servers with IIS installed using the IIS Web Directory Traversal exploit. The
worm propagates via email using its own SMTP engine and also through Messaging
APIs. It may execute when the recipient of its carrier email opens the email
using Microsoft Outlook or Outlook Express.
This PE worm arrives as an embedded README.EXE file or as attachment in an email that has an empty message body and typically, an empty subject field. It does not require that the target user double-click the attachment for it to execute. The worm also propagates through shared drives by searching the network that the infected machine belongs to, for shared folders with write access. If it finds one, it drops a randomly named .NWS (Newsgroup posting) or .EML file. These dropped files also contain the worm as an attachment.
Similar to TROJ_BLUECODE.A, this worm spreads to machines with IIS installed. It sends a request to a machine with IIS installed, forcing it to download
a copy of ADMIN.DLL from the infected machine. The worm then forces the remote
computer to copy the recently downloaded .DLL file into its root directory.
This PE worm has been classified as high risk. A free fix tool is available at Trend Micro's Web site. |
