W32.Nimda.A @mm  Virus

Symantec Security Response has received a number of submissions on W32.Nimda.A.@mm and is rating it as a Category 4.

W32.Nimda.A@mm is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as a file named readme.exe in an email.

In addition, the worm sends out probes to Microsoft IIS servers attempting to spread itself by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.

Type: Worm

Threat Assessment:

 

Wild: High

Damage: Low

Distribution: High

Wild:

• Number of infections: 50 - 999
• Number of sites: 3 - 9
• Geographical distribution: Medium
• Threat containment: Easy
• Removal: Easy

Damage:

• Payload:
  • Large scale e-mailing: Uses MAPI to send itself out as README.EXE
  • Compromises security settings: Opens the C drive as a network share

Distribution:

• Name of attachment: README.EXE
• Shared drives: Opens network shares
• Target of infection: Attempts to infect unpatched IIS servers

Write-up by: Eric Chien