The lastest information from McAfee.com has the following: As always please contact me personally with any questions at jreece@icx.net > > Name: W32/Nimda@MM > > Characteristics: > The information provided here is as of 3:00pm PDT September, 18, 2001. > Please check back periodically for more information regarding this threat. > This threat can infect all unprotected users of Win9x/NT/2000/ME > Its main goal is simply to spread over the Internet and Intranet, > infecting as many users as possible and creating so much traffic that > networks are virtually unusable. > All end users and administrators running Microsoft Internet Explorer (ver > 5.01 or greater), are advised to install <A > href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s > ecurity/bulletin/MS01-020.asp">this patch</A> for the Incorrect MIME > Header Can Cause IE to Execute E-mail Attachment vulnerability. > All IIS administrators should also install <A > href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s > ecurity/bulletin/MS01-044.asp">this patch</A> (August 15, 2001 Cumulative > Patch for IIS) > > This is a mass-mailing worm, which also spreads via open shares, the <A > href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s > ecurity/bulletin/ms00-078.asp">Microsoft Web Folder Transversal > vulnerability</A> (also used by W32/CodeBlue), and a Microsoft > content-type spoofing vulnerability. It also attempts to create a share > (c:), and checks for the presence of the trojan dropped by the > W32/CodeRed.c worm > The email attachment name varies and may use the icon for an Internet > Explorer HTML document. > The most significant methods of propagation are as follows: > > <LI>The email messages created by the worm specify a content-type of > audio/x-wav with an executable attachment type. Thus when a message is > accessed, the attachment can be executed without the user's knowledge. > > <LI>When infecting, it appends HTML documents with javascript code which > opens a new browser window containing the infectious email message itself > (taken from the dropped file README.EML). Thus when this infected HTML is > accessed (locally or remotely) the machine viewing the page is then > infected. > > Once infected, your system is used to seek out others to infect over the > web. As this creates a lot of port scanning, this can cause a network > traffic jam. > It copies itself to the WINDOWS SYSTEM directory as LOAD.EXE and creates a > SYSTEM.INI entry to load itself at startup:Shell=explorer.exe > load.exe -dontrunold > Additional events are: > - A MIME encoded version of the work is created in each folder on the > drive (often as README.EML, can also be .NWS files)- Certain executable > files are selected by the worm and altered. > The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 > R.P.China</LI> > > To check your system for this Virus, and to learn how to protect yourself > from computer viruses, visit the McAfee.com Clinic at > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103. > > For complete information on this Virus, view McAfee.com's Virus > Information Library listing at > http://vil.mcafee.com/dispVirus.asp?virus_k=99209. > > This email was sent to you by Joyce Reece, List Administrator > >