Virus Removal Utilities by PC S.O.S.

NimdaA & NimdaE

There are several variants of W32.Nimda in general circulation. The most common two are W32.Nimda.A@mm and W32.Nimda.E@mm.

What is Nimda?

W32.Nimda is a mass-mailing worm that utilizes multiple methods to spread itself over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable. When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file.

The email subject line varies, message body is blank, and attachment name varies (most often README.EXE) and may use the icon for an Internet Explorer HTML document.

Once on a machine, the virus attempts to spread itself to other users via network shares. It also attempts to forward itself to other email addresses found on the computer. It also looks for vulnerable IIS web servers to spread to them and modify web server files to append malicious Javascript code. If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more.

Symptoms of Nimda virus infection:

Presence of any of the following files:
- C:\ADMIN.DLL (exact location in root directory)*
- D:\ADMIN.DLL (exact location in root directory)
- E:\ADMIN.DLL (exact location in root directory)
- Presence of many .EML files with the same name (typically README.EML or DESKTOP.EML) (any drive or folder)
- README.EXE (any drive or folder)**
*It is possible to have an admin.dll file in a subdirectory which is not caused by the virus. For example, you might find it in WINNT/system32/dllcache/. Check the file date and see if it looks recent (for example, later than 1 September 2001).
**You cannot use the automated search function to locate the README.EXE file, because the virus corrupts the find command. You must open every shared folder and see if README.EXE has been added. To do this:
- Click the Start button and select the Run menu option.
- Enter CMD (no backslashes) and click OK. The command window opens.
- Enter net share and press RETURN.
- Using Explorer, see if README.EXE is listed any shared folders in C: or D:. You can ignore the other shares. For example, if you see listed C:\WINNT, check that folder. If you see X:\ listed, ignore.
Unwanted open shares on drives or folders. Use the following procedure to check this:
1. Double-click on the desktop icon for My Network Places (Network Neighborhood).
2. Click down through the entire network to your facility and your computer machine name. Note the names of folders that should not be shared. Your printers and printer schedule tasks folders may be a legitimate share, or any other folders you personally set to share with specific individuals. If in doubt, ask an IT person.
Enabled administrator guest account. Use the following procedure to check this:
1. Click the Start->Settings->Control Panel->Administrative Tools->Computer Management menu option.
2. Expand the tree for "Local Users and Groups" and click on the Users folder.
3. Right-click on Guest and select the Properties menu item. The Account is disabled checkbox should be selected.
... other general virus infection symptoms here.

Download the Nimda virus remover here:

BREAKDOWN S.O.S. HOTLINE

Tel.: + 44 (0)207 720 8550 ; + 44 (0)7961 980 184 ; + 44 (0)7888 638 033