UAE_KNIGHT
25-09-2001, 01:59 AM
How nimda virus spread in WorkStation or (P)
Be careful when you receive an email from unknown sender and its contain Readme.exe attachment its nimda virus)
----------------------------------------------------------
If the worm is started from README.EXE file (or a file that has more than 5 symbols in its name and EXE extension), it copies itself to temporary folder with a random name that has 'MEP*.TMP' name and runs itself there with '-dontrunold' command line option.
When started, the worm loads itself as a DLL library, looks for a specific resource there and checks its size. If the resource size is less than 100, the worm unloads itself, otherwise it extracts its resource to a file and launches it. Checking the resource size is done to be able to detect if a worm runs from infected EXE files.
Then the worm gets current time and generates a random number. After performing a few arithmetic operations with this number the worm checks the result. If a result is bigger than worm's counter, the worm starts to search and delete README*.EXE files from temporary folder.
After that the worm prepares its MIME-encoded copy by extrating a pre-defined multi-partite MIME message from its body and appending its MIME-encoded copy to it. The file with a random name is created in a temporary folder.
The worm then looks for EXPLORER process, opens it and assigns its process as remote thread of Explorer. The worm gets API creates a mutex with 'fsdhqherwqi2001' name, startups Winsock services, gets an infected computer (host) info and sleeps for some time. When resumed, the worm checks what platform it is running. If it is running on NT-based system, it compacts its memory blocks to occupy less space in memory and copies itself as LOAD.EXE to Windows system directory. Then it modifies SYSTEM.INI file by adding the following string after SHELL= variable in [Boot] section:
ad.exe -dontrunold
This will start the worm's copy every time Windows starts. The worm also copies itself as RICHED20.DLL file to system folder and sets hidden and system attributes to this file as well as to LOAD.EXE file. Then the worm enumerates shared network resources and starts to recursively scan files on remote systems.
When searching for files on remote systems the worm looks for .DOC and .EML files and then copies its binary image with RICHED20.DLL name to the folders where DOC and EML files are located. The copied DLL file has system and hidden attributes. This is done to increase the chances of worm activation on remote systems as Windows' original RICHED20.DLL component is used to open OLE files. But instead the worm's RICHED20.DLL file from current directory will be launched.
Also when the worm browsing the remote computers' directories it creates .EML and .NWS (rarely) files that have the names of document or webpage files that the worm could find on a remote system. These .EML and .NWS files are worm's multi-partite messages with a worm MIME-encoded in them. When scanning the worm can also delete the .EML and .NWS files it previously created.
The worm doesn't try to infect local or remote EXE files when started from a workstation.
Be careful when you receive an email from unknown sender and its contain Readme.exe attachment its nimda virus)
----------------------------------------------------------
If the worm is started from README.EXE file (or a file that has more than 5 symbols in its name and EXE extension), it copies itself to temporary folder with a random name that has 'MEP*.TMP' name and runs itself there with '-dontrunold' command line option.
When started, the worm loads itself as a DLL library, looks for a specific resource there and checks its size. If the resource size is less than 100, the worm unloads itself, otherwise it extracts its resource to a file and launches it. Checking the resource size is done to be able to detect if a worm runs from infected EXE files.
Then the worm gets current time and generates a random number. After performing a few arithmetic operations with this number the worm checks the result. If a result is bigger than worm's counter, the worm starts to search and delete README*.EXE files from temporary folder.
After that the worm prepares its MIME-encoded copy by extrating a pre-defined multi-partite MIME message from its body and appending its MIME-encoded copy to it. The file with a random name is created in a temporary folder.
The worm then looks for EXPLORER process, opens it and assigns its process as remote thread of Explorer. The worm gets API creates a mutex with 'fsdhqherwqi2001' name, startups Winsock services, gets an infected computer (host) info and sleeps for some time. When resumed, the worm checks what platform it is running. If it is running on NT-based system, it compacts its memory blocks to occupy less space in memory and copies itself as LOAD.EXE to Windows system directory. Then it modifies SYSTEM.INI file by adding the following string after SHELL= variable in [Boot] section:
ad.exe -dontrunold
This will start the worm's copy every time Windows starts. The worm also copies itself as RICHED20.DLL file to system folder and sets hidden and system attributes to this file as well as to LOAD.EXE file. Then the worm enumerates shared network resources and starts to recursively scan files on remote systems.
When searching for files on remote systems the worm looks for .DOC and .EML files and then copies its binary image with RICHED20.DLL name to the folders where DOC and EML files are located. The copied DLL file has system and hidden attributes. This is done to increase the chances of worm activation on remote systems as Windows' original RICHED20.DLL component is used to open OLE files. But instead the worm's RICHED20.DLL file from current directory will be launched.
Also when the worm browsing the remote computers' directories it creates .EML and .NWS (rarely) files that have the names of document or webpage files that the worm could find on a remote system. These .EML and .NWS files are worm's multi-partite messages with a worm MIME-encoded in them. When scanning the worm can also delete the .EML and .NWS files it previously created.
The worm doesn't try to infect local or remote EXE files when started from a workstation.