a file named csrss.exe in the Windows folder (default C:\Windows for Windows 95/98/Me/XP or C:\Winnt for Windows NT/2000);
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known Win32.Nimda versions;
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiNimda tool does the following:
it deletes the files infected with Win32.Nimda;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Costin Ionescu BitDefender Virus Researcher
This is a rebuilt variant of Win32.Nimda.A@mm containing some bug fixes and changes in files' names. The virus arrives as an attachment named sample.exe
, copies as csrss.exe
in the Windows directory. When it arrives through IIS servers using Unicode Web Traversal exploit
exploit it copies under the name httpodbc.dll
The author changed the virus declaration text contained in the virus to: Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)