CERT, the US government-backed institute that monitors Net
security, is advising system administrators to take drastic
measures to avoid spreading the rampant Nimda worm.
"The only safe way to recover from the system compromise is to
format the system drive[s] and reinstall the system software from
trusted media [such as vendor-supplied CD-ROM]," according to the
latest Cert advisory posted on 20 September.
Sophos has created a utility called SWNIMDA for cleaning up the
damage to servers caused by the virus.
But according to Sophos, Windows NT administrators cannot run the
software to clean up infected servers without first buying software
called NTFSDOS Pro v3.03 from Winternals.
Richard Brain, technical director at anti-hacking specialist
ProCheckup, said: "The situation is really bad. I would say Sophos
and Cert do not yet understand how the worm really works. Rebooting
the server to DOS is fairly extreme."
This is a particularly complex worm, said Brain, who thought better
options would become available in coming days as more users and
experts examine the worm.
ProCheckUp has introduced a free tool - WormAlert - designed to
limit the impact of Nimda and future Internet worms. "Part of the
problem with Internet worms is that system administrators are often
unaware their servers are infected," said Brain.
WormAlert allows users to check which worms have been attacking
their servers. It does this by analysing their Web, FTP (file
transfer) and e-mail log files, checking for log information
associated with the Nimda attack. "The log will identify the server
that sent the attack and then forward an e-mail to the server's
system administrators to alert them that their server is sending
out the worm," said Brain.
The free tool can be downloaded from
www.wormalert.org