nimda is a pretty smart worm...it spreads in many different ways...it uses exploits in IIS (m$ webserver) and IE
it infects a webserver by sending a malformed url which in effect gives it control over the server, allowing it to set up a html file on that server which will infect certain visitors to that website. these visitors can be prompted to download a file which has the malicous attachment.
now comes the fun part...the attachment uses a mime exploit in IE which fools IE into thinking it is a .wav file but is an exe file....IE will run the attachment without even a warning message...any email client which uses the IE rendering engine is susceptible...this includes outlook and eudora...so just by visiting an infected website, you can be infected if you are using an unpatched version of IE.
the other way nimda spreads is by direct email...it uses its own smtp engine to mail itself out to people in email address books...
so if you received an infected email...
so yes...it is not only possible...but very likely that this is how you were infected.I am the only user on this computer, and like I said, I didn't open any attachments, so is it possible that I got it just by opening and reading an email
the other things is that nimda.e was a new and improved version...which employed some techniques to hide itself from av software...so it is quite possible that mcaffee missed it...
you probably did the right thing in reformatting...nimda can allow complete remote control of your system...and even if you do remove all traces of it...there is no way to know what else has been done...
so there's a couple things you can do...first of all make sure you have the right repair tool...not sure a mcafee's tool but NAV had specific tools for the different verisons of nimda a and e being the most prevelant...the A tools wouldn't remove the E worm...so that might have been your prob...i'd also try a couple of vendors tools...they're free anyways...just to be sure...
but....the number one thing you can do...is never...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever use Outlook for email...now to be fair...the exploit was in IE and not outlook in this case...but...well
simply put...if you had been using a different client...you might not have been infected in the way you were...i'd suggest eudora ...there's a free version...which works great...is not completely full of holes...Searched the web for outlook exploit. Results 1 - 10 of about 93,500.
it's not perect...but it's not outlook...Searched the web for eudora exploit. Results 1 - 10 of about 7,750
to really protect yourself...use a client which doesn't rely on IE rendering...
to protect yourself in the future...make sure your browser and email client is completely update with their patches...and your AV software and definitions are up to date...and most importantly..stay informed..which you've got a good start on by hanging out here.
if you want to read up on nimda...
http://www.sarc.com/avcenter/venc/[email protected]
http://[email protected]
http://www.microsoft.com/technet/tre...n/ms00-078.asp
http://www.microsoft.com/technet/tre...n/MS01-020.asp
Reply With Quote