Cert struggles to make sense of Nimda attack

CERT, the US government-backed institute that monitors Net security, is advising system administrators to take drastic measures...

CERT, the US government-backed institute that monitors Net security, is advising system administrators to take drastic measures to avoid spreading the rampant Nimda worm.

"The only safe way to recover from the system compromise is to format the system drive[s] and reinstall the system software from trusted media [such as vendor-supplied CD-ROM]," according to the latest Cert advisory posted on 20 September.

Sophos has created a utility called SWNIMDA for cleaning up the damage to servers caused by the virus.

But according to Sophos, Windows NT administrators cannot run the software to clean up infected servers without first buying software called NTFSDOS Pro v3.03 from Winternals.

Richard Brain, technical director at anti-hacking specialist ProCheckup, said: "The situation is really bad. I would say Sophos and Cert do not yet understand how the worm really works. Rebooting the server to DOS is fairly extreme."

This is a particularly complex worm, said Brain, who thought better options would become available in coming days as more users and experts examine the worm.

ProCheckUp has introduced a free tool - WormAlert - designed to limit the impact of Nimda and future Internet worms. "Part of the problem with Internet worms is that system administrators are often unaware their servers are infected," said Brain.

WormAlert allows users to check which worms have been attacking their servers. It does this by analysing their Web, FTP (file transfer) and e-mail log files, checking for log information associated with the Nimda attack. "The log will identify the server that sent the attack and then forward an e-mail to the server's system administrators to alert them that their server is sending out the worm," said Brain.

The free tool can be downloaded from www.wormalert.org



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.