Home / malware Trojan:JS/Nimda.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
Trojan:JS/Nimda.A is also known as HTML/Nimda, JS/Nimda.A@mm, I-Worm/Nimda.A.HTM, JS.Nimda.A, JScript/Chir.B.Worm, Win32/Chir.B, Net-Worm.Win32.Nimda, W32/Nimda.htm, HTML/Nimda.A@mm, W32/Chir-B, W32.Chir.B@mm, JS_NIMDA.A, JS.Chir.B.
Explanation :
Trojan:JS/Nimda.A is a trojan that attempts to open the malicious file “readme.eml” in the current folder. The file “readme.eml” is a malformed multipart MIME formatted message file dropped by Worm:Win32/Nimda, and it contains an encoded copy of Worm:Win32/Nimda. Trojan:JS/Nimda.A takes advantage of a vulnerability addressed by MS01-020 (Incorrect MIME Header Can Cause IE to Execute E-mail Attachment). Installation The presence of Trojan:JS/Nimda.A is an indication of the presence of Worm:Win32/Nimda.A. When Win32/Nimda.A executes, it infects executable files, copies itself to local folders, network shares, and to remote computers via previous system compromises. Win32/Nimda.A drops a malicious e-mail message as 'readme.eml' into file folders containing web-related content files (for example, files with .HTM, .HTML, .ASP extensions). It then appends the code of JS/Nimda.A referencing the dropped file 'readme.eml' to these files. Payload Win32/Nimda Execution When a modified file is viewed on a vulnerable computer, Trojan:JS/Nimda.A attempts to open a new browser window and load the file “readme.eml” into this new window. The file “readme.eml” takes advantage of a vulnerability addressed by MS01-020 (Incorrect MIME Header Can Cause IE to Execute E-mail Attachment). When opening the malicious .EML file on a vulnerable system, a command window may open momentarily as the malicious file “readme.exe” is executed. The infected computer may then begin spreading Win32/Nimda to other computers. Please see the Worm:Win32/Nimda description elsewhere in our encyclopedia for additional detail. Analysis by Wei Li
Last update 15 February 2019
