Threat behavior
Trojan:JS/Nimda.A is a trojan that attempts to open the malicious file “readme.eml” in the current folder. The file “readme.eml” is a malformed multipart MIME formatted message file dropped by Worm:Win32/Nimda, and it contains an encoded copy of Worm:Win32/Nimda.
Installation
The presence of Trojan:JS/Nimda.A is an indication of the presence of Worm:Win32/Nimda.A. When Win32/Nimda.A executes, it infects executable files, copies itself to local folders, network shares, and to remote computers via previous system compromises.
Win32/Nimda.A drops a malicious e-mail message as 'readme.eml' into file folders containing web-related content files (for example, files with .HTM, .HTML, .ASP extensions). It then appends the code of JS/Nimda.A referencing the dropped file 'readme.eml' to these files.
Payload
Win32/Nimda Execution
When opening the malicious .EML file on a vulnerable system, a command window may open momentarily as the malicious file “readme.exe” is executed. The infected computer may then begin spreading Win32/Nimda to other computers. Please see the Worm:Win32/Nimda description elsewhere in our encyclopedia for additional detail.
Analysis by Wei Li
Prevention
