FRISK Software International

Summary of W32/Nimda.A
Length: approx 12KB
Discovered: 18 Sep 2001
Definition files: 18 Sep 2001
Jump to:
Brief description
Removal Instructions

Brief Description

Nimda.A, is a new mass mailing worm that has been spreading rapidly trough out world today. The worm spreads via e-mail through an attachment named readme.exe. The worm uses the infected computer to scan for web servers using the IIS server from Microsoft. If the worm finds servers that are running the IIS server and have not been patched with the patches that Microsoft published to deter CodeRed, it can infect and spread via those. Nimda can also use backdoor created by both the CodeRed and Sadmind worms, as well as other known security flaws of the IIS server. When Nimda infects a server it creates a new guest account in the administrator folder that gives the guest account the same privileges that only the administrator would under normal circumstances have.

Users of Microsoft Outlook and Internet Explorer should be especially careful. They do not need to execute the attachment to get infected, in Outlook it is enough to open the letter itself because Oulook automatically runs this particular attachment (using Internet Explorer's rendering engine). The exploit used by the worm can be fixed with this patch, which is also included in Service Pack 2 for Internet Explorer 5.5.

Detection has already been found for this worm by FRISK Software International's experts and removal instructions can be found below.

Users of FRISK Software International's mail filter service will not have been affected by this worm for the mail filter already detected worms of this nature.

Removal Instructions

F-Prot Antivirus with the latest signature files can detect the Nimda.A worm. Full disinfection of the worm requires on the other hand some manual attention. To disinfect the worm and restore security of affected computers, please follow these instructions:

1. Update the virus signature files. Information on how to update can be found at the F-Prot support page.

2. Temporarily disable the network. This is necessary since the worm uses the network to spread itself.

3.Use the OnDemand Scanner to scan all files, ignoring extensions ("dumb scan"). Disinfect all files that are found, except .HTML, .HTM and .ASP files, as well as files that have the words 'DEFAULT', 'INDEX', 'MAIN' and 'README' in their filenames. Check these files manually for a small JavaScript code referring to a README.EML file. Remove this JavaScript code or restore the affected files from a backup. This JavaScript code is located at end of the affected files.

4.Delete all infected copies of .EML and .NWS files (normally 79 KB in size). Note that you might have clean EML files as well, for example if you've saved e-mails to file from Outlook Express.

5.Replace RICHED20.DLL in the Windows System directory (typically C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32) with a clean copy that can either be retrived from the original Windows CD or another computer that's running the same operating system

6. Locate SYSTEM.INI file in your Windows directory and open it with a text editor. Replace the string: "shell=explorer.exe load.exe -donotloadold" with: "shell=explorer.exe" string.

7.Delete all .TMP files from your local temporary directories.

8. Delete all shares and put them back on with the correct access right. The virus affects shares security.

9. Remove the 'Guest' account and renew it with correct access rights. Remove the guest account from the administrators group. You should consider whether you need to have the guest account enabled. If you do not then you should disable the guest account

10. Correct Windows Explorer's settings concerning displaying of hidden files and certain extensions if necessary, as the worm makes Explorer to hide certain files and extensions.

11. Restore network connections only after all workstations are disinfected or the worm will re-infect already clean computers.


[September 19th, 2001. This analysis was based on information from our partner company F-Secure Corp.: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami Rautiainen and Mikko Hypponen]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)