is a very complex Internet virus. It arrives in the e-mail message as an attachment called README.EXE. Such message has empty body and empty or random subject. It uses the security hole of older MS-Outlook and Outlook Express clients: the attachment can be executed by viewing the mail in the preview panel. This virus is able to work under all Windows operating systems.
When executed, virus copies itself into the Windows system directory
under the name LOAD.EXE, RICHED20.DLL and sometimes
(it overwrites the original files if they exist) These files have system
and hidden attributes set. It modifies the SYSTEM.INI file in
order to activate itself on every startup:
Other copies of the virus are stored in the temporary directory under the names MEP*.TMP.EXE and sometimes in the root directory of the local disks under the name ADMIN.DLL. The virus then searches for another victim email addresses. Besides standard ways (Outlook, Exchange) it searches the .HTM and .HTML files.
The virus scans the random IP addresses and checks the IIS web servers for the security hole known as Unicode vulnerability (which was also used by CodeBlue worm) and also for a backdoor opened by the Win32:CodeRed.C worm in attempting to spread further. Compromised servers are searched for HTML/ASP files and can thus display a webpage prompting a user to download an MS-Outlook EML file which contains the worm as an attachment. Virus is able to penetrate the firewalls via email and then to infect the complete intranets.
The virus also adds the user GUEST to the Administrators group, so this user has full control of the machine. It also sets the registry keys to hide file extensions.
Virus contains the following text:
All users running Microsoft Internet Explorer (ver 5.01 - 5.5 without SP2) should apply to install the Microsoft patch for the Incorrect MIME Header. All users running the IIS web server should also install Microsoft IIS cumulative patch dated 15th August, 2001.
Win32:Nimda-E is very similar to the original virus. The attachment is called SAMPLE.EXE, it saves itself on the disk under the name HTTPODBC.DLL and also as CSRSS.EXE instead of MMC.EXE in the system directory. This variant is also able to select random sender name, so the tracing of the source is a little bit more complicated.
Any avast! with VPS file dated on or after 18th September 2001 is able to detect this virus.Refer: Avast