Another Virus doing the rounds... NIMDA

Not open for further replies.


Forum Admin
Staff member
Site Supporter
Feb 15, 2001
W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin". The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.

The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1 and information regarding this exploit can be found at

When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at

If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer internet security zones to prevent this compromise.

Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.

Removal Tool
Symantec Security Response has posted a tool to remove infections caused by W32.Nimda.A@mm. Please go here to download the tool:
Not open for further replies.