W32/Nimda.L

description-logoAnalysis

  • Virus is 32bit and appends to host files with a variable size
  • Virus uses various exploit and infection methods in order to infect the potential host
    • EXE infection – virus prepends itself to target files
    • Network spreading – virus attempts to connect to open shares and copy itself to these locations
    • When .DOC files are opened by MS Word, if Riched20.dll resides in the same folder, it is loaded into memory – the Riched20.dll file created by the virus then launches an infectious _setup.exe
  • When first executed, the virus will may write two files into the Windows\Temp folder and execute one of them – the files may be named similar to “mepF050.TMP.exe” – the virus will also write a WININIT.INI configuration file which will delete the files written to the Temp folder at next Windows startup
  • Virus will write itself as “_setup.exe” to the Windows\System folder, then modify the SYSTEM.INI file to run the virus secondary to loading the shell Explorer.exe with a parameter “-dontrunold”
  • Virus may attempt to infect installed applications based on applications which may be listed in this registry key –
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
  • Virus may modify the registry to share all local drives C through Z – after a Windows restart, the drives would be fully shared – virus then attempts to copy itself to systems available across the network

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR