W32.Nimda.A@mm Worm Virus Arrives Cloaked
Via E-mail and Compromised Web Sites

This worm virus will NOT affect any of my web sites

There is a new virus out there that has been designed to attack servers using Microsoft Windows, but will also affect home users. What make this virus so dangerous is the fact that it sends itself to you an attached, invisible, automatically executed, *.exe file; So, you won’t even know the email had an attachment, much less a virus. In fact, you may not even realize you received an email.

1. The virus does large scale e-mailing, using MAPI to send itself out as Readme.exe; when it is sent out it will randomly pick a different name and email address from your address book for the sender field, so each person who receives the virus from you, will think it is from a different person. That’s if they can even figure out which email had the virus.

2. The virus replaces legitimate files with itself. That way you are re-executing the virus periodically. And, the virus can research for any new vulnerabilities in your system and take advantage of them.

3. The virus Open your C: drive up as a shared drive with administrative privileges to anyone on your network; and if possible, anyone on the Internet. Anybody with administrative privileges to your hard drive, can do ANYTHING they want to your hard drive, including reformatting it for you.

4. This virus alters your registry so all files on all your local hard drives will be shared with administrative privileges, the next time the computer is booted up.

5. The Virus sets itself up as a second shell in the system.ini file, so it is automatically ran in addition to explorer.exe in future boot ups.

6. Each time the worm is ran, it looks for web site files *.htm, *.html, and *.asp! Web pages are altered so that they have a link to the virus program on the web page. Now you can be fooled into downloading your own copy, which will arrive in the form of a *.eml email file. And if you have JavaScript enabled, you don’t even have to click on the link to get the virus; the file is downloaded and ran for you, without you clicking on anything. And, since this is an email file, you won’t get the download box, either. Since it is a hidden, automatically executed program, in auto-downloading email file, the email file will open in your browser window, so you get a banner window with an auto-downloading, auto-executing virus in it.

7. The virus will look through any web pages it can find for email addresses in them. Then it will email itself to those email address, using the email program on the server and its own SMTP server.

8. For the home user that is infected, the virus will also watch as you open new web pages (thus putting the web page in the temporary internet folder of your hard drive), and will email the virus to any email address that is listed on any web page you open.

I have tried to write this in layman's terms from information I found on Symantec's web site. For more technical details on this virus, please check out http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

This worm virus will NOT affect Burlington Web Magazine . Com’s web sites, because my web sites are on Unix servers. This virus is specifically designed to attack Servers running Microsoft Windows NT or 2000. It will also affect home users running on any Windows operating system of '95 or higher.

If you already have this virus, Symantec recommends reformatting your hard drive and reinstalling everything. Remember, this thing replaced many of your *.DLL files with itself. If it merely attached itself, Norton could remove the virus. With the legitamate file gone, when Norton erases the virus, the program won't want to run anyway, because of the missing *.dll file.

If you DON'T think you have the virus there are some step Symantec recommends for protecting yourself:

If you have not updated your Norton Antivirus definition in the last couple days, you should do it right now.

If you are a network administrator of a system using Microsoft Windows (NT or 2000), the worm uses the Unicode Web Traversal exploit. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

For Any user of any type of Windows: When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp As it turned out, my copy of Windows ’98 Second Edition already has the patch built in. Make sure you version of windows ’98, and Microsoft Internet Explorer 5.0 or 5.5 also do.

Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. This .eml file also uses the aforementioned MIME exploit. Users can disable 'File Download' in their internet security zones to prevent compromise. Just be aware, that each you do want to be able to download, you will need to turn the ‘File Download’ feature on long enough to download the file. Each time you are done downloading the file(s) you will need to turn the 'File downlaod' feature back off again. According to Symantec disabling the 'file download' feature also defeats the virus from using javascript to auto-download and auto-executing the file for you.