Security management Toolkit

Help and HowTo: Nimda

Tags:
Code Red,
Nimda,
Viruses,
Worm

Robert Lemos, CNet News.com ZDNet US

Published: 19 Sep 2001 09:51 BST

Nimda is a new network-aware, mass-mailing worm that infects both PC Windows users and IIS Web servers alike. Think of Nimda (W32.NIMDA.A@mm) as a combination of Code Red and the mass-mailing worm APost. Nimda attacks at least a dozen known vulnerabilities on systems running Microsoft IIS and can also spread via open shares to other connected machines on a network. Compromised Web sites may display a Web page that encourages users to download a file that is actually infected; consequently, the worm can spread on Windows PCs via email. This infection may cause email servers to run slowly or shut down. At this time, antivirus software companies are still analysing this sophisticated worm. Nimda currently ranks an 8 on the CNET Virus Meter.

How it works

One of the ways Nimda arrives is by email with random text in the subject line, no body text, and an attached file called readme.exe.

The other way Nimda spreads is via Internet scan. From an infected IIS Web server, Nimda scans other Web servers looking for other systems vulnerable to the Unicode Web Traversal. Once Nimda gains access to a Web server, it may display a Web page prompting users to download an infected file, allowing Nimda to spread via email to Windows PCs. Microsoft has already announced patches for most of the vulnerabilities that Nimda exploits.

If a Windows PC user opens the attached email file, the worm will use Mailing API (MAPI) functions to read the user's email address book and send out copies of itself to all of the addresses.

Removal

Antivirus software companies are still analyzing this worm and are in the process of updating their signature files to include Nimda. For more information on removing Nimda from your system, see Central Command, McAfee, Sophos, Symantec, and Trend Micro.

Prevention

Follow these steps to contain this worm:

Windows PC users: If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that these patches do not include Outlook Express. Click here for help with installation or for more information regarding this patch.

Don't open attachments! One of the best ways to prevent virus infections is not to open attachments, especially when viruses such as this one are actively circulating. Even if the e-mail message is from a known source, be careful. A few viruses take mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan any attached files for viruses, and unless the attachment is a file or an image you are expecting, delete it.

Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Alerts & Solutions page.

Get protection. If you don't already have virus-protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these programs and following the installation instructions. If you're on a network, check with your network administrator first.

Scan your system regularly. If you're loading antivirus software for the first time, let it scan your entire system. It's better to start with your PC clean and free of virus problems. Many antivirus programs can be set to scan on periodically or each time the computer is rebooted. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add virus detection code whenever the software vendor discovers a new threat. You can also scan your system for the latest security updates here.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.