Nimda Worm Description
Nimda worm, also known as I-Worm.Nimda, W32/Nimda@MM, PE_NIMDA.A and W32/Nimda-A is a mass-mailing worm that uses multiple techniques to replicate itself. Nimda worm can spread via email, open network shares or malicious websites. W32/Nimda@MM sends itself by email and searches for open network shares. Then, I-Worm.Nimda tries to copy itself to unpatched or already vulnerable Microsoft IIS web servers. Nimda worm infects both local files and files on remote network shares. W32/Nimda-A uses the Unicode Web Traversal exploit. When Nimda worm comes to the affected PC by email, it uses a MIME exploit, which allows the threat to be executed by reading or previewing the file. If a computer user visits a compromised web server, he/she will be urged to download a .eml (Outlook Express) email file, which involves W32/Nimda@MM as an attachment. You can disable "File Download" in your Internet Explorer Internet Security Zones to block the infection. Also, PE_NIMDA.A will create open network shares on the affected computer, which allows access to the PC system. Throughout this process, Nimda worm creates the guest account with Administrator privileges. It is strongly recommended to remove Nimda worm immediately after detection.