W32/Nimda.E@mm

Analysis

• Viral body is 57344 bytes and is prepended to EXE files
  
• Virus uses various exploit and infection methods in order to infect the potential
  host -
  
  • Malformed MIME header and IFrame exploit within email propagation
    
  • INDEX.HTML / DEFAULT.HTML file load insertion - files are modified to load infectious README.EML
    
  • SYSTEM.INI file load insertion
    
  • EXE infection - virus prepends itself to target files
    
  • Network spreading - virus attempts to connect to open shares and copy itself to these locations
    
  • Infectious README.EML / DESKTOP.EML placed in all folders
    
  • IP scanning to identify IIS systems and using malformed GET request - response uploads infectious httpodbc.dll to the target system and executes it
    
  • Hiding extensions of known file types - this aids in the launch of an executable with an inappropriate file icon
    
• Virus arrives as an attachment from infected users in a message structured such that a malformed MIME header exploit coupled with an IFrame exploit will cause the attachment to launch automatically when the message is either opened or previewed in Outlook
  
• The message contains two parts, one being script containing the IFrame exploit which invokes the second part, which is mislabeled on purpose with an inappropriate Content-Type of "audio/x-wav" - this is done in an effort to automatically launch the attachment commonly named "sample.exe".
  
• When first executed, the virus will write two files into the Windows\Temp folder and execute one of them - the files may be named similar to "mepF050.TMP.exe" - the virus will also write a WININIT.INI configuration file which will delete the files written to the Temp folder at next Windows startup.
  
• Virus will write itself as "load.exe" to the Windows\System folder, then modify the SYSTEM.INI file to run the virus secondary to loading the shell Explorer.exe with a parameter "-dontrunold"
  
• Virus modifies the registry to hide the extensions of known file types and to not display hidden files - if infected users attempt to modify these values manually within the "View | Folder Options" menu option in a folder view, the settings are reset by the virus to continue hiding extensions and not display hidden files
  
• Virus attempts to scan IP addresses in search of a system running IIS in an effort to infect that host - the virus uses a "Transversal Directory" exploit in order to sends a malformed "GET httpodbc.dll" request, which in turn triggers the target to request the infectious httpodbc.dll from the requestor via TFTP
  
• httpodbc.dll will be executed on the target system and infect files matching these names -

  Index.XXX
  Default.XXX
  Main.XXX

  Where .XXX could be .asp, .htm or .html - virus drops a file "Readme.eml" on the target and modifies the qualifying files to load the .eml file using the HTML instruction "refresh"
  

• Virus copies itself to numerous locations as the following files -
  readme.nws
  readme.eml
  httpodbc.dll
  sample.exe
  Riched20.dll (in folders containing .DOC files)

• Virus modifies the registry to share all local drives C through Z - after a Windows restart, the drives would be fully shared - virus then attempts to copy itself to systems available across the network

• Virus contains the following string -

  Concept Virus(CV) V.6, Copyright(C)2001,
  (This's CV, No Nimda.)