Users: Nimda a tough worm to fight

Cleaning up after the Nimda worm could prove to be a much harder and more time-consuming task than getting rid of other pieces of malicious software.

Many of the standard antivirus software and patches currently available aren't enough to correct the multiple problems Nimda causes to infected systems as it spreads, users and analysts said.

Among other things, users affected by the quick-spreading worm need to reset and restore changes it makes to numerous critical files and registry keys, because those changes aren't fully addressed by today's antivirus software. And they need to make sure that a key change leaving a system open to future attacks is closed, said Russ Cooper, an analyst at TruSecure Corp., a Reston, Va.-based security firm.

As a result, until more sophisticated fixes become available, the only sure recourse in some cases is to disconnect infected systems from the network, reformat that system's hard drive, reinstall software from a clean source, and apply appropriate security patches, according to recommendations by both the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and by the SANS Institute in Bethesda, Md.

"Nothing is cleaning this virus. The tools out today simply delete or quarantine the infected files," said one frustrated e-mailer to Computerworld who requested anonymity.

"We have had 50,000 to 100,000 infected files in my data center alone, and we were patched all the way up" after the Code Red attack, he said. "We are smart people. This one just won't be stopped."

The Nimda worm, reports of which first began flooding into mailing lists and security firms on Tuesday morning, is a mass-mailing piece of malicious code that infects systems running Microsoft Windows 95, 98, ME, NT and 2000 (see story).

Unlike other worms and viruses, Nimda is capable of spreading via network-based e-mail, as well as by Web browsers. It has also been tuned to look for and exploit backdoors left behind by previous viruses such as Code Red and Sadmind (see story).

In terms of a payload, Nimda's main objective is to try and propagate itself via various means, including modifying Web content on infected Microsoft Web servers, according to Allen Householder, a CERT member.

In the process, the worm does a number of insidious things, such as modifying critical system files and registry keys, making every directory available as a file share and creating a guest account with administrator privileges, Cooper said.

"The worm infects numerous binaries on a victim system, such that any time one of the infected executables is run, the worm is launched," according to a SANS advisory.

"In addition, the worm positions itself in such a way that when document files are opened in [text] editors, the worm code is executed. These characteristics make it incredibly difficult to clean the worm from an infected system," said the advisory.

As a result, "running [antivirus software] alone will not fix the problem," said Edward York, chief technical officer at 724 Inc., an application hosting service in Lompoc, Calif.

"The server must be secured all over again. All open shares closed, the hot fixes reapplied, the guest account disabled again and all traces of any file called root.exe or admin.dll deleted from the system," he said. Administrators also need to ensure that any registry items added by Nimda have been removed, he said.

Related stories:


Copyright © 2001 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon