Sidebar: Nimda Is Serious and Worth Taking Seriously
Please don't get the wrong idea about my main story -- I wasn't trying to downplay Nimda's seriousness, or the gravity of its impact on the Internet as a whole or on those individuals and organizations who must clean up after an infection. That's why I include this sidebar that explains how to recognize a Nimda infection, and what to do about it, along with pointers to other excellent resources on the topic.
Two types of hosts are likely to become infected with the Nimda virus:
- Machines running Microsoft Internet Information Server (IIS) 4.0 or 5.0, which haven't been kept patched or kept entirely up-to-date with Microsoft's Critical Security updates.
- Machines running Outlook (either the full-blown version or the Express version) and Internet Explorer 5.0 or 5.5 that haven't yet been patched with Service Pack 2 for either version of IE (as it turns out, it's Internet Explorer that enables this vulnerability, even if Outlook provides the initial point of entry).
Either IIS Web servers or end-user machines will show marked performance impairments because they're busy doing Nimda's bidding rather than performing their normal tasks. Web servers will probe the Internet looking for other vulnerable machines, and transfer their nefarious payloads to such machines where possible; end-user machines will mail the payload in a file named "readme.exe" to all addresses in an Outlook address book.
By scanning files for the string "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" or looking for files named readme.exe, readme.eml, or files ending with the .eml extension, it should be easy to determine whether an infection has occurred or not. On the other hand, if you have access to an updated version of Norton AntiVirus, McAfee Anti-Virus, or some other quality antivirus product, it should be able to scan your systems and possibly even to disinfect them from this contagion. As I write this, disinfection is proving more problematic at the moment; by the time you read this, there's every chance that these problems will have been solved.
Dealing with Infection
Until an infected machine is disinfected and cleaned up, it remains a possible source of infection for other machines (and a source of bogus unwanted traffic on the Internet, be it a scanning IIS server or an end-user machine sending infected email messages). That's why such machines should be disconnected from their local network connections, and from the Internet as well if a separate means of connection is present on those machines. After you clean up the mess, you can reconnect afterwards.
The SANS advisory on Nimda at http://www.incidents.org/react/nimda.pdf includes some of the best coverage of this virus I've seen anywhere. Like the Russ Cooper item mentioned previously, it explains exactly how Nimda works and how to recover from its influence on infected machines.
Right now, cleaning up infected servers is a grim task: Most experts recommend scrubbing the drives and restoring from an uninfected backup. Inevitably, this means a significant loss of time for cleanup, and a possible loss of data as well. Cleaning up infected end-user machines may be less dire, depending on what kinds of cleanup tools the antivirus vendors can come up with. At the moment, the only known good prescription for end-user machines is identical to that for servers. Ouch!