Cleaning out systems infected by the Nimda worm could prove a much
harder task for users than getting rid of an ordinary virus.
Users and analysts claim that many of the standard anti-virus
software and patches currently available are not enough to correct
the multiple problems Nimda causes to infected systems.
Users affected by the quick-spreading worm need to reset and
restore changes it makes to numerous critical files and registry
keys because those changes are not fully addressed by current
anti-virus software. They need to make sure that a key change
leaving a system open to future attacks is closed, said Russ
Cooper, an analyst at security firm TruSecure.
Until more sophisticated fixes become available, the safest
recourse in some cases is to disconnect infected systems from the
network, reformat that system's hard drive, reinstall software from
a clean source, and apply appropriate security patches, according
to recommendations by both the US government-funded CERT
Coordination Centre and by the SANS Institute.
"Nothing is cleaning this virus. The tools out today simply delete
or quarantine the infected files," said one frustrated IT
professional.
"We have had 50,000 to 100,000 infected files in my data centre
alone and we were patched all the way up," after the Code Red
attack, he said. "We are smart people. This one just won't be
stopped."
The Nimda worm - reports of which first surfaced on 18 September -
is a mass-mailing piece of malicious code that infects systems
running Microsoft Windows 95, 98, ME, NT and 2000.
Unlike other worms and viruses, Nimda is capable of spreading via
network-based e-mail as well as by Web browsers. It has also been
programmed to look for and exploit vulnerabilities left behind by
older viruses such as Code Red and Sadmind.
Nimda's main objective is to propagate itself by any means. This
could include modifying Web content on infected Microsoft Web
servers, according to Allen Householder, a CERT member.
In the process, the worm does a number of insidious things, such as
modifying critical system files and registry keys, making every
directory available as a file share and creating a guest account
with administrator privileges, Cooper said.
"The worm infects numerous binaries on a victim system, so that any
time one of the infected executables is run, the worm is launched,"
according to a SANS advisory statement.
"The worm positions itself in such a way that when document files
are opened in [text] editors, the worm code is executed. These
characteristics make it incredibly difficult to clean the worm from
an infected system," said the advisory.
As a result, "running [anti-virus software] alone will not fix the
problem," said Edward York, chief technical officer at 724, a
US-based application-hosting service.
"The server must be secured all over again. All open shares closed,
the Hot Fixes reapplied, the guest account disabled again and all
traces of any file called root.exe or admin.dll deleted from the
system," he said. Administrators also need to ensure that any
registry items added by Nimda have been removed, he added.