Top 10 Most Deadly Viruses

Top 10 Viruses

--- Update July 12, 2002 ---
New variant appeared - W32/Elkern.cav.d which only replicates under Windows 2000. Just like other variants it uses "split cavity" infection method and uses "WQ" marker to recognise already infected files. Note that this variant is not related to any new W32/Klez variant. This new variant is detected generically since October, 2001.
--- Update June 11, 2002 ---
All W95/Elkern variants were renamed to W32/Elkern.
--- Update April 20, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.c) which is dropped by a new W32/Klez variant, W32/Klez.h. W32/Elkern.cav.c detection and removal will be included in the 4198 DATs. Current DATs often detect these samples as W32/NGVCK.a or New Win32 with program heuristics.
--- Update January 24, 2002 ---
A new variant was recently discovered (W32/Elkern.cav.b) which is dropped by a new W32/Klez variant (some call it W32.Klez.E@mm). These new variants of W32/Klez and W32/Elkern both require minimum 4182 DATs for detection/removal.
The W32/Klez@MM worm carries W32/Elkern.cav virus inside and drops it when activated.

When a virus-infected file is run on a Win98/ME system, it copies this very file to the \WINDOWS\SYSTEM folder under the name WQK.EXE (and marks it as a hidden file). So the size and contents of WQK.EXE can vary. The virus also modifies WQK.EXE file not to have any icon displayed by wiping the pointer to its resources (that is where the icons are stored).
Then the virus adds an entry to the Registry's key to run the WQK.EXE file on every reboot.
After a reboot the virus infects random EXE files by either expanding the last section of the host file or by going into cavities without changing the host files' size at all.

When a virus-infected file is run on a WinNT/2000/XP system, it copies itself to the file WQK.DLL in the SYSTEM32 directory and creates a registry key value to load the virus:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Windows\AppInit_DLLs=Wqk.dll

This virus is network-aware and can spread through a local network. It also contains a payload to overwrite files with zeros while maintaining the original file size. This can result in critical files being overwritten and thus an inability to load the operating system after infection occurs.
The virus can infect and does infect its own carrier - W32/Klez@MM worm. That is why files specific to both W32/Klez@MM and W32/Elkern.cav are likely to coexist on the same computer. If you suspect W32/Elkern.cav virus on your computer you are strongly advised to read a description of W32/Klez@MM.

Indications Of Infection

- Presence of WQK.EXE or WQK.DLL in C:\WINDOWS or C:\WINDOWS\SYSTEM having "hidden" attribute.
- Changes to 32 bit PE (.EXE) files
- Inability to boot to Windows

2. W32/Nimda.eml

--- Update November 09, 2001 ---
A new variant was recently discovered (some call it Nimda.G) which functions the same as the .D and .E variant. The 4163-4169 DATs detect this as a variant of W32/Nimda@MM.
--- Update October 29, 2001 ---
A new variant was discovered today (some call it Nimda.D while others refer to it as Nimda.E) which functions much the same as the original version. The 4162 DATs (or greater) detect this variant as W32/Nimda.a@MM.
--- Update October 26, 2001 ---
The risk assessment was lowed to Medium due to a reduction in prevalence.
--- Update October 12, 2001 ---
A new variant was discovered today which functions much the same as the original version. Detection is included in the current DAT release. This variant is considered to be a LOW risk.
--- Update October 5, 2001 ---
A new variant was discovered today which functions much the same as the original version. However this variant is packed with a PE packer and the filenames README.EXE and README.EML are replaced with PUTA!!.SCR and PUTA!!.EML respectively. Detection for this new variant is included the 4165 DAT release. This variant is considered to be a LOW risk.
This threat can infect all unprotected users of Win9x/NT/2000/ME.
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.
All users running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who have not already done so, should also install this patch (August 15, 2001 Cumulative Patch for IIS)

This worm virus infects using several methods including: mass-mailing, network share propagation, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft incorrect MIME Header vulnerability. It also attempts to create network shares, and utilize the backdoor created by the W32/CodeRed.c worm

The email subject line varies, message body is blank, and attachment name varies (most often README.EXE) and may use the icon for an Internet Explorer HTML document.

The most significant methods of propagation are as follows:

The email messages created by the worm specify a content-type of audio/x-wav and contain an executable attachment type. Thus when a message is accessed, the attachment can be executed without the user's knowledge. Simply viewing the page in Microsoft Outlook or Microsoft Outlook Express using the preview pane can infect you. Other mail clients can still receive these email messages, but double-clicking the attachment would be required to execute the virus.

When infecting, it appends .ASP, .HTM, and .HTML documents, and files named INDEX, MAIN, and DEFAULT, with javascript code which contains instructions to open a new browser window containing the infectious email message itself (taken from the dropped file README.EML). Thus when this infected web page is accessed (locally or remotely) the machine viewing the page is infected. In other words, simply visiting a web site that is compromised can infect your computer.

When infecting, it creates network shares for each local drive as %$ (where % = the drive letter that is being shared). On Win9x/ME system this is configured as a full share with no password. On WinNT/2K system the user GUEST is given permission to the share and added to the group ADMINISTRATORS as well as GUESTS. A reboot is required in order for these shares to get created. When the virus finds an open share, it copies itself to each folder on the drive in .EML format as described later on in this description. This can include the START UP folder.

The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability by sending a malformed GET request. This causes vulnerable machines to initiate a TFTP session to download ADMIN.DLL from the machine which sent the request. Once downloaded the remote system is instructed to execute the DLL which infects that machine. In the event that the TFTP session fails to connect, multiple files (TFTP*) are created in the WINDOWS TEMP directory. These files are simply copies of the worm. It also tries to use the backdoor created by W32/CodeRed.c to infect.

.EXE files are prepended with the worm code.

Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
It may copy itself to the WINDOWS SYSTEM directory as LOAD.EXE and create a SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
Additional information:
- A MIME encoded version of the worm is created in each folder on the system (often as README.EML or DESKTOP.EML, can also be .NWS files). This can create a lot of files and in some cases even fill up a hard disk.
- The WININIT.INI file may be used to delete specific worm files upon reboot:
NUL=C:\WINDOWS\TEMP\MEP52b0.TMP.exe
- Registry key values are created/changed to hide files:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden

- A registry key branch is deleted to remove share security under WinNT/2K
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Shares\Security

- The worm saves a copy of itself to C:\, D:\, and E:\ as ADMIN.DLL
Note: a valid ADMIN.DLL does exist and is part of the Microsoft FrontPage Server Extentsions functionality

- Filenames for the worm include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL, MEP*.TMP.EXE
Note: applications which utilize the rich text format, such as Microsoft Word and Wordpad, call this RICHED20.DLL file. As such, the worm is executed when a dependant program is run. There is typically a valid RICHED20.DLL file in the WINDOWS SYSTEM directory, but this is overwritten by the virus. Additionally, the virus may also save itself as RICHED20.DLL in directories which contain .DOC files when infecting via network shares. This will result in that infected .DLL being called when a machine accesses that .DOC file.
Note: MMC.EXE is the name for the Microsoft Management Console application. It has been reported that the worm can in fact overwrite this file.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China

Indications Of Infection

Presence of the files C:\ADMIN.DLL, D:\ADMIN.DLL, and E:\ADMIN.DLL
Presence of many .EML files with the same name (typically README.EML or DESKTOP.EML)
Surprisingly open network shares

Removal Instructions

Removing this threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.
Infected systems must:
apply the patches below
close any network shares prior to cleaning
exit any running applications
Stop a running IIS server
Scan and clean each drive
Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.
Failure to take these actions may result in reinfection.
Applying patches
All users running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who haven't already done so, should also install this Microsoft patch (August 15, 2001 Cumulative Patch for IIS)
Scanning/Removal
In cases where users with VirusScan and Netshield 4.5, or 4.51 have altered the "default extension list/program files extension list" the following package is required to scan files with extensions greater than 3 characters, and is required for complete detection of this threat where the extension list has been customized.
EXTFIX1.EXE patch . Please review the README.TXT file first.
As always, AVERT recommends that users configure VirusScan to scan all files. If this is not an option in your environment, the default extension list ("Program files" or "Default files") should be used.
Additionally Win9x users should remove the text: load.exe -dontrunold from the SYSTEM.INI file.

Stand Alone Removal Tool
Please note Virusscan and Netshield products will detect and remove the virus and the associated files the virus affects. It will NOT remove the network shares or the guest account created by W32/Nimda@MM.
Users that would like to have these changes removed automatically can use the AVERT NimdaScan (current version 2.0) program located on the AVERT Tools Page. Please follow the instructions in the README.TXT when using the program.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Res
Protect your desktops by subscribing to VirusScan ASaP.

Variants

Name

Type

Sub Type

Differences

W32/Nimda.b@MM Virus Internet Worm This variant is packed with a PE packer and the filenames README.EXE and README.EML are replaced with PUTA!!.SCR and PUTA!!.EML respectively.

W32/Nimda.d@MM Virus Internet Worm This variant uses different filenames.
README.EXE is now SAMPLE.EXE
MMC.EXE is now CSRSS.EXE
ADMIN.DLL is now HTTPODBC.DLL

W32/Nimda.e@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.

W32/Nimda.f@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.

W32/Nimda.g@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.

3. W32/FunLove.gen

Virus Characteristics

Update February 28, 2001:
Please review the corporate environment removal instructions .RTF file, updated Feb 28, 2001.
Update September 30, 2000:
Please note updated instructions in the removal section for Corporate environments which give a detailed step-by-step process that when followed will be successful in the innoculation and removal of this virus from your environment.
This virus is a parasitic Win32 PE file virus that infects EXE, SCR and OCX files by appending itself to the last PE section of the file. The virus also overwrites the first 8 bytes of code at the start of the program with a jump to the virus's code. Cleaning this virus requires using SCAN.EXE with a minimum engine of v4.0.70, in combination with VirusScan or NetShield 4.5 product.
Under Windows9x/ME the file length is increased by 4099 bytes, but under Windows NT/2K/XP the file length increase is a minimum of 4099 bytes and is usually more, up to approximately 7000 bytes has been observed in tests.
When the virus is first run, it drops a file called FLCSS.EXE into the SYSTEM folder, if this file does not already exist. This exe file is then run as a separate process and becomes the resident portion of the virus. The virus then directly infects all EXE, SCR, and OCX files in the folders Program Files and WINDOWS (%WinDir%), including any sub folders. As the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted.
Under Windows NT/2K/XP, the virus uses a routine borrowed from the W32/Bolzano virus to patch the files NTOSKRNL.EXE and NTLDR if the current user is logged in with administrator rights. This patch, which is activated after the next system restart, allows all users full administrator rights to the system. This allows the virus (and any low-level users) full, unrestricted access to all the files on the system.
Periodically the virus scans any network shares with write access, and infects any EXE, SCR and OCX files on any shared network drives. The "FLC" process runs in the background, first exploring the local drives, then waiting a random amount of time - depending on a random number it either goes back to exploring the local drives, or starts exploring the network, then going back to exploring the local drives after exploring the network.
The virus is not encrypted or polymorphic.
When executed under DOS, the file FLCSS.EXE displays the message "~Fun Loving Criminal~" and then tries to reset the machine in order to load Windows.

Indications Of Infection

1) Increase in size by 4099 bytes under Windows 9x/ME, and under Windows NT/2K/XP a variable length increase of at least 4099 bytes.
2) Display of the "~Fun Loving Criminal~" Message.
3) The existence of the file FLCSS.EXE in the Windows system folder.
4) Activity on both local hard disks and over the network as the virus looks for new victims to infect.
5) Certified ActiveX controls give a warning that the signature no longer matches the file.

Removal Instructions

Cleaning this virus requires using SCAN.EXE with a minimum engine of v4.0.70, in combination with VirusScan or NetShield 4.5 product.
Command Line Stand Alone W32/FunLove.4099 Virus Remover
On WinNT, the NTOSKRNL.EXE and NTLDR files should be restored from backup to remove the potential security hole created by FunLove.
Removal of the FUNLOVE Virus Worm in an Enterprise Environment (.RTF).
For Bootscan,
Using a clean system, extract this update and copy over existing emergency boot disk files.
This virus can be cleaned off any hard drives using an emergency disk made from a known clean system.
The cleaned system must remain disconnected from any network until all the remaining systems have been scanned and cleaned. You will need to boot from a clean floppy with the emergency repair product on each system, including Microsoft servers.
The virus in any infected system will infect other systems on the same network that "share" disk space. It additionally is memory resident and will re-infect all systems that share disk space with it as fast as you clean them if connected to the network during or after cleaning.
Cleaning Windows 9x/ME, WinNT/2K/XP FAT systems:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCAN.EXE C: /CLEAN /ALL"
Cleaning Windows NT/2K/XP NTFS systems

Protect your desktops by subscribing to VirusScan ASaP.

Variants

Name

Type

Sub Type

Differences

W32/FunLove.app Virus Win32 Added to 4112 DATS and improved in 4115 DATS. Detection is for samples which contain the body of the FunLove virus but is inactive and therefore the virus cannot replicate. The body of the virus is found at the end of a PE file (windows EXE file). It can be removed.

4. W32/Klez.h@MM

Virus Characteristics

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
the worm has the ability to spoof the From: field (often set to an address found on the victim's machine).
the worm attempts to unload several processes (antivirus programs) from memory including those containing the following strings:

_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir

The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
  350.bak.scr
  bootlog.jpg
  user.xls.exe

The worm may also copy itself into RAR archives, for example:
  HREF.mpeg.rar
  HREF.txt.rar
  lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, and to addresses extracted from files on the victim's machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:
Subject: A very funny website
or Subject: Undeliverable mail--
or Subject: Returned mail--
or Subject: A WinXP patch
or Subject: A IE 6.0 patch
or Subject: W32.Elkern removal tools
or Subject: W32.Klez.E removal tools

The file attachment name is again generated randomly, and ends with an .exe, .scr, .pif, or .bat extension, for example:
  ALIGN.pif
  User.bat
  line.bat

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in an infection of the victim's machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used. Below is the message sent by the virus itself.
Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
This payload can result in confidental information being sent to others.

Indications Of Infection

Randomly/oddly named files on network shares, as described above.
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Removal Instructions

Use current engine and DAT files for detection.
Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.
This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.
Alternatively, the following steps will circumvent virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT specified or higher.
Close all running applications
Disconnect the system from the network
Go to a command prompt, then change to the VirusScan engine directory:

Win9x/ME - Click START | RUN, type command and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER

Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory

Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER

Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.
Additional Windows ME/XP removal considerations
Protect your desktops by subscribing to VirusScan ASaP.

5. W32/Nimda.gen@MM

Virus Characteristics

--- Update November 09, 2001 ---
A new variant was recently discovered (some call it Nimda.G) which functions the same as the .D and .E variant. The 4163-4169 DATs detect this as a variant of W32/Nimda@MM.
--- Update October 29, 2001 ---
A new variant was discovered today (some call it Nimda.D while others refer to it as Nimda.E) which functions much the same as the original version. The 4162 DATs (or greater) detect this variant as W32/Nimda.a@MM.
--- Update October 26, 2001 ---
The risk assessment was lowed to Medium due to a reduction in prevalence.
--- Update October 12, 2001 ---
A new variant was discovered today which functions much the same as the original version. Detection is included in the current DAT release. This variant is considered to be a LOW risk.
--- Update October 5, 2001 ---
A new variant was discovered today which functions much the same as the original version. However this variant is packed with a PE packer and the filenames README.EXE and README.EML are replaced with PUTA!!.SCR and PUTA!!.EML respectively. Detection for this new variant is included the 4165 DAT release. This variant is considered to be a LOW risk.
This threat can infect all unprotected users of Win9x/NT/2000/ME.
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.
All users running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who have not already done so, should also install this patch (August 15, 2001 Cumulative Patch for IIS)

This worm virus infects using several methods including: mass-mailing, network share propagation, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft incorrect MIME Header vulnerability. It also attempts to create network shares, and utilize the backdoor created by the W32/CodeRed.c worm

The email subject line varies, message body is blank, and attachment name varies (most often README.EXE) and may use the icon for an Internet Explorer HTML document.

The most significant methods of propagation are as follows:

The email messages created by the worm specify a content-type of audio/x-wav and contain an executable attachment type. Thus when a message is accessed, the attachment can be executed without the user's knowledge. Simply viewing the page in Microsoft Outlook or Microsoft Outlook Express using the preview pane can infect you. Other mail clients can still receive these email messages, but double-clicking the attachment would be required to execute the virus.

When infecting, it appends .ASP, .HTM, and .HTML documents, and files named INDEX, MAIN, and DEFAULT, with javascript code which contains instructions to open a new browser window containing the infectious email message itself (taken from the dropped file README.EML). Thus when this infected web page is accessed (locally or remotely) the machine viewing the page is infected. In other words, simply visiting a web site that is compromised can infect your computer.

When infecting, it creates network shares for each local drive as %$ (where % = the drive letter that is being shared). On Win9x/ME system this is configured as a full share with no password. On WinNT/2K system the user GUEST is given permission to the share and added to the group ADMINISTRATORS as well as GUESTS. A reboot is required in order for these shares to get created. When the virus finds an open share, it copies itself to each folder on the drive in .EML format as described later on in this description. This can include the START UP folder.

The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability by sending a malformed GET request. This causes vulnerable machines to initiate a TFTP session to download ADMIN.DLL from the machine which sent the request. Once downloaded the remote system is instructed to execute the DLL which infects that machine. In the event that the TFTP session fails to connect, multiple files (TFTP*) are created in the WINDOWS TEMP directory. These files are simply copies of the worm. It also tries to use the backdoor created by W32/CodeRed.c to infect.

.EXE files are prepended with the worm code.

Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
It may copy itself to the WINDOWS SYSTEM directory as LOAD.EXE and create a SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
Additional information:
- A MIME encoded version of the worm is created in each folder on the system (often as README.EML or DESKTOP.EML, can also be .NWS files). This can create a lot of files and in some cases even fill up a hard disk.
- The WININIT.INI file may be used to delete specific worm files upon reboot:
NUL=C:\WINDOWS\TEMP\MEP52b0.TMP.exe
- Registry key values are created/changed to hide files:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden

- A registry key branch is deleted to remove share security under WinNT/2K
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Shares\Security

- The worm saves a copy of itself to C:\, D:\, and E:\ as ADMIN.DLL
Note: a valid ADMIN.DLL does exist and is part of the Microsoft FrontPage Server Extentsions functionality

- Filenames for the worm include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL, MEP*.TMP.EXE
Note: applications which utilize the rich text format, such as Microsoft Word and Wordpad, call this RICHED20.DLL file. As such, the worm is executed when a dependant program is run. There is typically a valid RICHED20.DLL file in the WINDOWS SYSTEM directory, but this is overwritten by the virus. Additionally, the virus may also save itself as RICHED20.DLL in directories which contain .DOC files when infecting via network shares. This will result in that infected .DLL being called when a machine accesses that .DOC file.
Note: MMC.EXE is the name for the Microsoft Management Console application. It has been reported that the worm can in fact overwrite this file.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China

Indications Of Infection

Presence of the files C:\ADMIN.DLL, D:\ADMIN.DLL, and E:\ADMIN.DLL
Presence of many .EML files with the same name (typically README.EML or DESKTOP.EML)
Surprisingly open network shares

Removal Instructions

Removing this threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.
Infected systems must:
apply the patches below
close any network shares prior to cleaning
exit any running applications
Stop a running IIS server
Scan and clean each drive
Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.
Failure to take these actions may result in reinfection.
Applying patches
All users running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch for the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators (and Win2K users who may not know they are running IIS), who haven't already done so, should also install this Microsoft patch (August 15, 2001 Cumulative Patch for IIS)
Scanning/Removal
In cases where users with VirusScan and Netshield 4.5, or 4.51 have altered the "default extension list/program files extension list" the following package is required to scan files with extensions greater than 3 characters, and is required for complete detection of this threat where the extension list has been customized.
EXTFIX1.EXE patch . Please review the README.TXT file first.
As always, AVERT recommends that users configure VirusScan to scan all files. If this is not an option in your environment, the default extension list ("Program files" or "Default files") should be used.
Additionally Win9x users should remove the text: load.exe -dontrunold from the SYSTEM.INI file.

Stand Alone Removal Tool
Please note Virusscan and Netshield products will detect and remove the virus and the associated files the virus affects. It will NOT remove the network shares or the guest account created by W32/Nimda@MM.
Users that would like to have these changes removed automatically can use the AVERT NimdaScan (current version 2.0) program located on the AVERT Tools Page. Please follow the instructions in the README.TXT when using the program.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Res
Protect your desktops by subscribing to VirusScan ASaP.

Variants

Name

Type

Sub Type

Differences

W32/Nimda.b@MM Virus Internet Worm This variant is packed with a PE packer and the filenames README.EXE and README.EML are replaced with PUTA!!.SCR and PUTA!!.EML respectively.

W32/Nimda.d@MM Virus Internet Worm This variant uses different filenames.
README.EXE is now SAMPLE.EXE
MMC.EXE is now CSRSS.EXE
ADMIN.DLL is now HTTPODBC.DLL

W32/Nimda.e@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.

W32/Nimda.f@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.

W32/Nimda.g@MM Virus Internet Worm Functionally the same as the D variant; minor differences only.

6. W32/Sobig@MM

Virus Characteristics

-- Update January 15, 2003 --
This threat was downgraded due a decrease in prevalence over the past 24 hours.
-- Update January 14, 2003 --
It was discovered that in some cases the virus attachment may arrive with a filename having ".PI" extension instead of ".PIF" (it would not get run if double-clicked on, of course). This extension is added to the default list in 4243 DATs.
-- Update January 11, 2003 --
This threat was upgraded to a Medium risk due an increase in prevalence over the past 36 hours.
-- Update January 10, 2003 --
This threat is considered to be Low-Profiled due to the The Inquirer article Four viral worms spreading across the Windows Web

This worm is written in MSVC and attempts to spread via network shares and email. The worm contains its own SMTP engine.

Email Propagation

Outgoing messages are formatted as follows:
From: big@boss.com
Subject: One of the following:

Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attachment: 65,536 bytes with one of the following filenames:

Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

Email addresses may be harvested from files on the victim machine with the following extensions:

WAB
DBX
HTM
HTML
EML
TXT

Network Propagation

The worm enumerates shares on the network, intending to copy itself to one of the following folders on remote machines:
\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP
or
\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP

Indications Of Infection

Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes.
Existence of the file SNTMLS.DAT in the Windows directory
Existence of the file DWN.DAT in the Windows directory

Removal Instructions

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Additional Windows ME/XP removal considerations
Protect your desktops by subscribing to VirusScan ASaP.

7. JS/Seeker.gen.e

Virus Characteristics

-- Update October, 5, 2001 --
AVERT has seen an increase in the number of encoded JS/Seeker samples since the release of the 4.1.50 scan engine. This is due to new decoding methods used by the engine. The majority of these samples also exploit a Microsoft virtual machine vulnerability.
This trojan alters the default startup and search pages for your web browser. The Windows Scripting Host must be installed for the trojan to run. It is believed that a script generating program may be involved in the creation of this trojan, which allows the author to specify different parameters. As there are many variants of this threat, your personal experiences may vary from those mentioned here. The trojan may arrive as a file named "runme.hta". Opening this file makes several registry changes to your system, such as:
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Netscape\Netscape Navigator\Main\Home Page
Original registry values are saved to the files "HOMEREG111.REG", "BACKUP1.REG", and "BACKUP2.REG" in the WINDOWS directory.
Users may also see a slightly different version of this virus, which is detected as Reg/Seeker. The only difference is that Reg/Seeker resides in a *.reg file rather than a Java script.

Indications Of Infection

- Altered startup and search pages when launching web browser
- Presence of "runme.hta", "removeit.hta", or "homereg111.reg"

Removal Instructions

Use specified engine and DAT files for detection and removal.
- Delete detected files
- Restore desired Internet Explorer Start and Search pages
- Install the Microsoft virtual machine vulnerability patch.
Protect your desktops by subscribing to VirusScan ASaP.

8. W32/Klez.rar

9. W32/Klez.eml

10. W32/Bugbear@MM

Virus Characteristics

---Update 1/16/2003---
Due to a sustained decrease in prevalence, the risk assessment was lowered from Medium to Low.
---Update 10/15/2002---
Due to a decrease in prevalence, the risk assessment was lowered from High to Medium.
---Update 10/07/2002---
W32/Bugbear@MM does not contain a bear icon, but rather a generic icon typically associated with EXE files.
A new version of the JDBGMGR.EXE hoax is circulating, which is tricking users into deleting a file that uses a bear icon. This file, JDBGMGR.EXE, is not related to the W32/Bugbear@MM virus.
---Update 10/03/2002---
The risk assessment of this threat has been raised to High due to the continuing increase in prevalence.
AVERT has released a removal tool to assist infected users with this virus.

---Update 10/02/2002---
The risk assessment of this threat has been raised to Medium On Watch due to an increase in prevalence.

This worm has the ability to spoof, or forge, the 'From:' field. (Often set to an address found on the victim's machine). Additionally the virus can use a fabricated from address, by taking the name before the "@" sign of one address, and the domain name after the "@" sign of another address. (ie. name1@domain1.com + name2@domain2.com = name1@domain2.com)
This virus is written in MSVC and packed with UPX. It affects systems running the Windows operating system. It does not affect MacOS or Linux environments. It spreads via network shares and by emailing itself. It also contains a backdoor trojan component that contains keylogging functionality.

Mass-mailing
This worm emails itself to addresses found on the local system. The virus code contains email subject strings and attachment names. However, the majority of samples received contain information not present in the virus. Suggesting that there is a higher probability of the virus using words and filenames contained on the infected system. Possible message subject lines include the following (however, other random subject lines are also possible):

25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
Hi!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help...
Re: $150 FREE Bonus!
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
wow!
Your Gift
Your News Alert

The message body varies and may contain fragments of files found on the victim's system. The attachment name also varies, but may contain the following strings:

Card
Docs
image
images
music
news
photo
pics
readme
resume
Setup
song
video
It is common for the attachment name to contain a double-extension (ie. .doc.pif). Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher). Many other threats, such as W32/Klez.h@MM, are also detected as Exploit-MIME.gen on the gateway.
System changes
When run on the victim machine it copies itself to %WinDir%\%SysDir% as ****.EXE (where * represents random character). For example in testing:

Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE
2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE
The following Registry key is set in order to hook next system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
RunOnce "%random letters%" = %random filename%.EXE (Win9x)

The worm copies itself to the Startup folder on the victim machine as ***.EXE (where * represents random character), for example:

Win98 : C:\WINDOWS\Start Menu\Programs\Startup\CUK.EXE
2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\CYC.EXE

Trojan component
The worm opens a port on the victim machine - port 36794 TCP and searches for various running processes, stopping them if found. The list of processes includes many popular AV and personal firewall products.
This remote access server allows an attacker to upload, and download files, run executes, and terminate processes.
It drops a DLL on the victim machine - keylogger related. This DLL is detected as PWS-Hooker.dll.
Spawns Print Jobs on Network Printers
There have been reports from the field that after execution of the virus it sends print jobs to all network printers. Avert has been able to reproduce this in their labs and the worm attempts to print its file contents to network printers.
Network share propagation
The worm attempts to copy itself to the Startup folder of remote machines on the network (as ***.EXE - described above).

Indications Of Infection

Port 36794 TCP open
Existence of the following files (* represents any character):

%WinDir%\System\****.EXE (50,688 or 50,684 bytes)
%WinDir%\******.DAT
%WinDir%\******.DAT
%WinDir%\System\******.DLL
%WinDir%\System\*******.DLL
%WinDir%\System\*******.DLL

Large Print jobs sent to network printers. The full printout caused by a copy of the worm in the printer queue can take about 500 pages. They are mostly blank with only one-two lines of random symbols on each page. The very first page starts with "MZ" followed by about 18 funny symbols and a string "=!This program cannot be run in DOS mode". Another visible printed string close to the beginning is "Rich5". This printing routine can cause many .tmp and .spl files in your print server spool directory.

Removal Instructions

Use current engine and DAT files for detection and removal.
Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.
This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.
Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT (specified above) or higher
Close all running applications
Disconnect the system from the network
Click START | RUN, type command and hit ENTER
Change to the VirusScan engine directory:

Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER

Type scan.exe /adl /clean and hit ENTER
After scanning and removal is complete, reboot the system and reconnect to the network

Additional Windows ME/XP removal considerations
Detecting W32/Bugbear@MM infected systems with McAfee ThreatScan

Protect your desktops by subscribing to VirusScan ASaP.

------------------------------------------------------------