"The only safe way to recover from the system compromise is to format the system drive[s] and reinstall the system software from trusted media [such as vendor-supplied CD-ROM]," according to the latest Cert advisory posted on 20 September.
Sophos has created a utility called SWNIMDA for cleaning up the damage to servers caused by the virus.
But according to Sophos, Windows NT administrators cannot run the software to clean up infected servers without first buying software called NTFSDOS Pro v3.03 from Winternals.
Richard Brain, technical director at anti-hacking specialist ProCheckup, said: "The situation is really bad. I would say Sophos and Cert do not yet understand how the worm really works. Rebooting the server to DOS is fairly extreme."
This is a particularly complex worm, said Brain, who thought better options would become available in coming days as more users and experts examine the worm.
ProCheckUp has introduced a free tool - WormAlert - designed to limit the impact of Nimda and future Internet worms. "Part of the problem with Internet worms is that system administrators are often unaware their servers are infected," said Brain.
WormAlert allows users to check which worms have been attacking their servers. It does this by analysing their Web, FTP (file transfer) and e-mail log files, checking for log information associated with the Nimda attack. "The log will identify the server that sent the attack and then forward an e-mail to the server's system administrators to alert them that their server is sending out the worm," said Brain.
The free tool can be downloaded from www.wormalert.org