How powerful is the new Nimda virus

Asks JacksonC

A. All the furore surrounding the Code Red virus was misdirected - the Nimda virus is potentially a lot more dangerous as it can infect PC users using Windows and IIS web servers and it can spread via open shares to all computers on a network.

�

Q. What type of virus is it

A. It is a very powerful worm virus, that modifies web documents (e.g. .htm, .html, and. asp files) and some executable files found on the systems it infects, and duplicates itself creating numerous copies of the virus on your system under various file names.

�

Q. What systems can be affected

A. Any systems running Microsoft Windows 95, Windows 98, Windows ME, Windows NT and Windows 2000. Servers running Windows NT and Windows 2000 are also vulnerable.

�

Q. Is it known under any other names

A. It can also be identified as the W32/Nimda worm or the Concept Virus (CV) v.5.

�

Q. How is it passed on

A. It is passed on through email, open shares and web servers.

�

Q. How would I know if I have been infected by the Nimda worm

A. It will usually arrive as an email in two parts. The first part has been identified as MIME type "text/html" by CERT (the Computer Emergency Response Team (CERT) at the Carnegie Mellon University in the US monitors all viruses and informs users on how to combat them), but to you and me that just means that an email will appear in your inbox that will appear to contain no content or text.

�

A second email will then arrive (known as a MIME type "audio/x-wav") carrying a base 64 encoded attachment identified in the subject line of your email with the suffix readme.exe. All other content in the subject line of an email can vary. You can identify it however, by the size of the attachment, it will always be 57344 bytes.

�

If you are running Microsoft Internet Explorer version 5.5 or earlier the HTML mail on your system will automatically run the enclosed attachment and infect your machine with the worm, if you have a later system the worm will be triggered by opening the attachment.

�

Nimda also contains an inbuilt code that will attempt to resend infected email messages every 10 days.

�

Once your PC is infected it will attempt to infect any IIS server or web browser it comes into contact with - i.e. when you use the Internet you will pass the virus on. As the worm duplicates itself it will appear on your computer in all your writeable directories with .eml and .nws extensions.

�

For networks, their very nature of sharing files makes them vulnerable. The worm will make your personal C drive a shared drive on the network, create a "guest" account on Windows NT and 2000 systems and then add this account to the administrator group.

�

Q. How would I protect myself against the Nimda virus

A. First of all upgrade your version of Microsoft Internet Explorer - versions of IE before 5.0 are no longer maintained by Microsoft so you should run this or a later version. Then you should install a patch from Microsoft to protect against further infection, this is available from http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. Reboot your computer once you have installed the patch, on some systems it can take up to half an hour to install.

�

Then you should ensure that you have the latest version of an anti virus product running on your system. A full article on new anti virus software is available on Answerbank at Article.go id=966&category_id=null or click virus protection on the archive bar at the right of the screen.

�

To be safe, ensure that you do not open any email attachments with readme.exe in the title. Also, disable JavaScripting in Internet Explorer. This will break access to a variety of Web sites, but it will also prevent the worm from infecting through a firewall. To do this, go to the Tools menu item, select Internet Options, then the Security Tab. For the Internet zone, set the security level to High, and apply the change. You can re-enable java-scripting once you have installed Microsoft's patch.

�

Other measures include changing your Outlook Express settings.

�

(i) Disable auto-preview in Outlook and Outlook Express. Under the View toolbar menu, verify that both Preview Pane and Auto-Preview are de-selected.

�

(ii) Verify that Attachment Security is set to high. Under Tools, select Options, and then the Security tab. In the section labelled Secure Content, select Attachment Security, and verify that High Security is selected. This will force Outlook to verify that you want to open an attachment.

�

Q. Can you get any software that has been especially developed to combat the Nimda virus as extra protection

A. Yes, this is available online from various vendors, including the following:

Symantec: http://www.symantec.com/avcenter/venc/data/[email protected]

�

McAfee: http://vil.mcafee.com/dispVirus.asp virus_k=99209&

�

Command Software: http://www.commandsoftware.com/virus/nimda.html

�

Panda Software: http://service.pandasoftware.es/library/card.jsp Virus=Nimda

�

Computer Associates: http://www.ca.com/virusinfo/encyclopedia/descriptions/n/nimda.htm

�

Q. Where does the word Nimda come from

A. Nobody is sure what it actually means. However, Nimda is the backward spelling of admin, a common shorthand word for the system administrator. It is also reported that early emails containing the virus originated from Korea and China, but these reports have not been substantiated. It is also the name of an Israeli defence contractor.

�

If you have any other Internet & Technology related questions, please click here

�

by Karen Anderson