** Virus Alert: PE.Nimda.E  **

PE_NIMDA.E is a fast-spreading Internet worm and file infector that arrives via email, as an attachment called SAMPLE.EXE. It employs several infection mechanisms and exploits several known vulnerabilities. Similar to the original variant, PE_NIMDA.A  it has four modes of propagation: through email, through network shared drives, through un-patched IIS servers, and through file infection.

The main difference between this variant and PE_NIMDA.A are the names of three of its dropped files. However, similar to the original variant, the name of the dropped executables are names of valid system files. The worm arrives via email as an attachment, or through infected HTTP documents as SAMPLE.EXE, instead of README.EXE as it did in PE_NIMDA.A. Another slight difference between this version and PE_NIMDA.A is the name of its mutex. In earlier forms of this virus, the string "fsdhqherwqi2001" was placed in the infected system's global memory to indicate the worm's presence in the machine. In this version, the string "efqpm2300dfhroop" has been added as a marker for its presence in memory. The worm also contains the following text:  Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)  Infected executable files are detected as PE_NIMDA.E. Infected HTML, HTM,  and NWS files are detected as JS_NIMDA.A
 
TrendMicro Pattern file # 161 or 961 has detected this virus.
 
Should you receive an e-mail that contains this subject header, message,  or the attached file, DO NOT OPEN THE ATTACHMENT - PLEASE DELETE IT IMMEDIATELY.