Virus

W32/Nimda.L

Analysis

  • Virus is 32bit and appends to host files with a variable size
  • Virus uses various exploit and infection methods in order to infect the potential host
    • EXE infection – virus prepends itself to target files
    • Network spreading – virus attempts to connect to open shares and copy itself to these locations
    • When .DOC files are opened by MS Word, if Riched20.dll resides in the same folder, it is loaded into memory – the Riched20.dll file created by the virus then launches an infectious _setup.exe
  • When first executed, the virus will may write two files into the Windows\Temp folder and execute one of them – the files may be named similar to “mepF050.TMP.exe” – the virus will also write a WININIT.INI configuration file which will delete the files written to the Temp folder at next Windows startup
  • Virus will write itself as “_setup.exe” to the Windows\System folder, then modify the SYSTEM.INI file to run the virus secondary to loading the shell Explorer.exe with a parameter “-dontrunold”
  • Virus may attempt to infect installed applications based on applications which may be listed in this registry key –
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
  • Virus may modify the registry to share all local drives C through Z – after a Windows restart, the drives would be fully shared – virus then attempts to copy itself to systems available across the network