Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Nimda.A@mm


Threat Risk HIGH HIGH
Destructivity LOW LOW
Detection files published 20 Sep 2001 03:00:00
Description created 18 Sep 2001 03:00:00
Description updated 18 Oct 2002 01:32:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



Uses email-like addresses from Windows web cache as both sender and recipient.

Payload Details

High spreading by infection of PCs running IIS and infected web pages.




Update your antivirus product Download available patches and fixes If you have vulnerable IIS servers, patch them with this patch: bulletin/MS01-044.asp If you are using Internet Explorer 5.0 or 5.01 install this patch from Microsoft: bulletin/MS01-020.asp Disconnect your LAN from the Internet Disconnect all infected PC's from your server/LAN. Start with the server(s). Open "sysedit" from "Start | Run", and find the line Shell=Explorer.exe LOAD.EXE -dontrunold in the SYSTEM.INI file. Change this to Shell=Explorer.exe Reboot the computer. Open a DOS-window, and write attrib -s -h c:\winnt\system32\load.exe (Win2k/WinNT) or attrib -s -h c:\windows\system\load.exe (Win95/98/ME) Scan all files on all drives. Delete infected files. If disks have been shared out, "unshare" them. Replace the file Riched20.dll with a clean copy from backup or a clean computer. Scan all PCs once more to ensure that they have not been reinfected. Connect the PCs to the network when they are clean - one at a time as they are confirmed to be clean. Connect your LAN to the Internet For IIS users: If you are running Internet Information Server (IIS), please make absolutely certain that there is no backdoor installed. The NT/CodeRed.C worm installs a backdoor, which is used by Nimda to spread. If this backdoor exists, cleaning and patching up the machine with the latest patches will be in vain. Microsoft has released an utility to remove the obvious effects of this backdoor: url=/technet/security/tools/redfix.asp

Last Updated: 12 Nov 2015 11:06:11