know the vector. stop the exploit. block the virus.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Nemsi Alert

October 2004

 

Vector:             Parasitic (prepends EXE with virus code)

 

Impact:             Minimal (low distribution, malicious payload non-functioning, causes

crash on September 13)

 

Nemsi is included in the list because of its return to a simpler time, when viruses tried to wreck the MBR. Nemsi adds itself to the beginning of executable files after it is run and adds itself to the default startup with the addition of the following Registry value:

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Runexplorer=%windir%\explorer6.exe.

 

If executed on 13 September the virus attempts to overwrite the MBR of the first hard disk (making the machine unbootable), however the code is flawed, the transmission of the assembler logic to the computer will cause Windows to crash (BSOD).

 

Read about MBR viruses from the Microsoft perspective:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/core/fncb_dis_gidi.asp

 

and read about Nemsi at Panda Software’s site:

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=53067

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.