Win32.Nimda.E@mm

( N/A )

SYMPTOMS:

a file named csrss.exe in the Windows folder (default C:\Windows for Windows 95/98/Me/XP or C:\Winnt for Windows NT/2000);

TECHNICAL DESCRIPTION:

This is a rebuilt variant of Win32.Nimda.A@mm containing some bug fixes and changes in files' names. The virus arrives as an attachment named sample.exe, copies as csrss.exe in the Windows directory. When it arrives through IIS servers using Unicode Web Traversal exploit exploit it copies under the name httpodbc.dll.

The author changed the virus declaration text contained in the virus to:
Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender AntiNimda tool does the following:

it detects all the known Win32.Nimda versions;

it deletes the files infected with Win32.Nimda;

it kills the process from memory;

it repairs the Windows registry.

You may also need to restore the affected files.

ANALYZED BY:

Costin Ionescu BitDefender Virus Researcher