Skip navigation
Skip navigation
You are using an outdated browser. Please upgrade your browser.

Marlow, England, 19th September 2001. TREND MICRO (NASDAQ: TMIC, TSE: 4704), a worldwide leader in network antivirus and Internet content security, has called a red alert: a new Trojan TROJ_Nimda.A (alias W32/Nimda.A@mm) was discovered yesterday evening. This computer worm is spreading fast on a worldwide basis via e-mail, network shares or IIS server. TREND MICRO Pattern file 941 detects the Trojan and is available for download for customers at

Home users can scan their PCs free of charge with the TREND MICRO HouseCall Service at

The new Trojan uses three different channels for its distribution. Via e-mail it can be detected through the attachment “readme.exe”. But further file versions like .wav or .com have also been detected. Upon execution it drops the file mepXXXX.tmp in the temporary folder C:WindowsTemp. This temp file contains the file attachment sent by the worm mails. Wininit.ini receives an entry, that sets one of the meXXXX.tmp.exe files to a null value, deleting one of the meXXXXtmp.exe files. The worm propagates via email using its own SMTP engine and also through messaging APIs. The Trojan carrying the email may be executed when opened using MS Outlook or MS Outlook Express. It exploits these email clients when they try to display an email in html format that contains frames. The new virus is causes damage through its mass mailing habit with fast distribution mode and thus spamming enterprise networks and servers, leading to reduced productivity.

The worm also propagates through shared drives. Similar to PE_FUNLOVE.4099, the worm searches the network to which the infected machine is connected for shared folders with write access. If one is found, a randomly named NWS (Newsgroup Posting) or EML file is dropped, which contains the worm as attachment.

It can also spread to machines with IIS installed using the IIS Web Directory Traversal exploit. It searches for various different security holes in the IIS server. Is one of these holes found, the worm uses it for further distribution.

“TREND MICRO recommends the use of blocking mechanisms to reduce this latest scare for enterprise networks. Blocking executable files delivers rapid security against the spread of TROJ_Nimda.A,” states Raimund Genes, European Vice President Sales and Marketing TREND MICRO. “This mechanism is especially helpful with this new Trojan, which can not be detected through a conspicuous subject line.”

About Trend Micro

Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers.

For additional information and evaluation copies of all Trend Micro products, visit:

For additional information

Europe/ UK
Anna Wright
European Marcoms
Trend Micro
Phone: + 44 1628 400 534

This press release was distributed by ResponseSource Press Release Wire on behalf of Text 100 London in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit