TODOS los Win se ven afectados. centralcommand.com (avx) ya tiene vacuna también.
Sacado de C.Command.
----
Central Command first discovered the Win32.Nimba.A@mm
Internet worm on 09/18/2001 but is releasing a second warning
about this worm to all users. This worm is spreading fast globally
and Central Command recommends all users to update AntiVirus
eXpert immediately to protect against this worm.
Name: Win32.Nimda.A@mm
Aliases: W32/Nimda.A
Type: File Infector & Internet Worm, written in Visual C
language
Size: 57344 bytes
Risk: High
ITW: Yes
Description:
This virus comes through e-mail as an attached file, with the
body of the mail apparently empty but which actually contains
code to use an exploit which will execute the virus when the user
just view the message (if is using Outlook or Outlook Express
without latest Service Packs or patches from Microsoft). When is
installed it copies itself in the system directory with the name
load.exe. Also it copies over the library riched20.dll modifying
itself to be loaded as a DLL (Dinamically Link Library). This DLL
is used by applications that work with Richedit Text Format such
as Wordpad.
To be activated at every reboot the virus modifies system.ini in
the boot section by writing the following line: shell=explorer.exe
load.exe -dontrunold
In Windows NT/200 the virus attaches a thread to explorer.exe to
run its viral code and in Windows 95/98/ME it registers itself as a
service process. With these actions the virus remain invisible to
the user.
To spread it uses MAPI (Mailing API) functions to read user's e-
mails from where it extracts SMTP (Simple Mail Transfer
Protocol) server addresses and e-mail addresses. It is able also
to send e-mails without MAPI functions, but connecting directly
to a SMTP server.
Another method to spread is by using Unicode Web Traversal
exploit similar to CodeBlue. Information and a patch for this
exploit are located at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
The virus creates 200 threads and tries to send itself, using the
specified exploit, to an IIS server. Using this exploit the virus gets
control of the execution flow on that server and download itself
under the name admin.dll, then puts a HTML code in the web
page hosted by the IIS server to download the virus. To do this it
tries to modify the files with the name: index, main, default and
with the extension one of: .html .htm .asp
Also the virus enumerates the network resources visible to the
infected computer and tries to copy in shares.
When running in Windows NT/2000, the virus is capable of
infecting files by attaching the executable as a resource with raw
data named f in the virus program. When the infected file is
executed the virus has the control and executes the original file
so the user doesn't notice anything unusual. This is
accomplished by dropping that f resource in a file with the same
name as the original but with a space appended, followed by
.exe.The virus reads from registry the keys contained in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe
rsion\App Paths This key contains the paths to all applications
installed in the system. One exception of the infection routine is
that the virus avoids infecting the file winzip32.exe.
Also, when running under NT, the virus creates the user guest
with no password and add it to the Administrator group. It creates
a share for every root directory (from C to Z) with all access
rights.
The virus is able to disable the proxy by modifying the keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\Interne t Settings\MigrateProxy 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\Interne t Settings\ProxyEnable 0
HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\Current
Version\Inter net Settings\ProxyEnable 0
Leaving the library riched20.dll overwritten by the virus will
reactivate it when a program using this library is executed.
As a signature the following text can be found in the file: Concept
Virus(CV) V.5, Copyright(C)2001 R.P.China
-------
Saludos.
y lo he sustituido por el Netscape 6.1... Espero que este de menos problemas 