Nimda worm is tough to beat

Cleaning out systems infected by the Nimda worm could prove a much harder task for users than getting rid of an ordinary virus.

Cleaning out systems infected by the Nimda worm could prove a much harder task for users than getting rid of an ordinary virus.

Users and analysts claim that many of the standard anti-virus software and patches currently available are not enough to correct the multiple problems Nimda causes to infected systems.

Users affected by the quick-spreading worm need to reset and restore changes it makes to numerous critical files and registry keys because those changes are not fully addressed by current anti-virus software. They need to make sure that a key change leaving a system open to future attacks is closed, said Russ Cooper, an analyst at security firm TruSecure.

Until more sophisticated fixes become available, the safest recourse in some cases is to disconnect infected systems from the network, reformat that system's hard drive, reinstall software from a clean source, and apply appropriate security patches, according to recommendations by both the US government-funded CERT Coordination Centre and by the SANS Institute.

"Nothing is cleaning this virus. The tools out today simply delete or quarantine the infected files," said one frustrated IT professional.

"We have had 50,000 to 100,000 infected files in my data centre alone and we were patched all the way up," after the Code Red attack, he said. "We are smart people. This one just won't be stopped."

The Nimda worm - reports of which first surfaced on 18 September - is a mass-mailing piece of malicious code that infects systems running Microsoft Windows 95, 98, ME, NT and 2000.

Unlike other worms and viruses, Nimda is capable of spreading via network-based e-mail as well as by Web browsers. It has also been programmed to look for and exploit vulnerabilities left behind by older viruses such as Code Red and Sadmind.

Nimda's main objective is to propagate itself by any means. This could include modifying Web content on infected Microsoft Web servers, according to Allen Householder, a CERT member.

In the process, the worm does a number of insidious things, such as modifying critical system files and registry keys, making every directory available as a file share and creating a guest account with administrator privileges, Cooper said.

"The worm infects numerous binaries on a victim system, so that any time one of the infected executables is run, the worm is launched," according to a SANS advisory statement.

"The worm positions itself in such a way that when document files are opened in [text] editors, the worm code is executed. These characteristics make it incredibly difficult to clean the worm from an infected system," said the advisory.

As a result, "running [anti-virus software] alone will not fix the problem," said Edward York, chief technical officer at 724, a US-based application-hosting service.

"The server must be secured all over again. All open shares closed, the Hot Fixes reapplied, the guest account disabled again and all traces of any file called root.exe or admin.dll deleted from the system," he said. Administrators also need to ensure that any registry items added by Nimda have been removed, he added.

Read more on IT strategy