First appearing on September 18, 2001, Nimda is a computer virus that caused traffic slowdowns as it rippled across the Internet, spreading through four different methods, infecting computers containing Microsoft's Web server, Internet Information Server (IIS), and computer users who opened an e-mail attachment. Like a number of predecessor viruses, Nimda's payload appears to be the traffic slowdown itself - that is, it does not appear to destroy files or cause harm other than the considerable time that may be lost to the slowing or loss of traffic known as denial-of-service and the restoring of infected systems. With its multi-pronged attack, Nimda appears to be the most troublesome virus of its type that has yet appeared. Its name (backwards for "admin") apparently refers to an "admin.dll" file that, when run, continues to propagate the virus.
To briefly summarize what Nimda does:
- Nimda also can infect users within the Web server's own internal network that have been given a network share (a portion of file space).
To summarize preventive action:
- Server adminstrators should get and apply the cumulative IIS patch that Microsoft has provided for previous viruses and ensure that no one at the server opens e-mail.
- PC users should never open a "readme.exe" attachment sent by e-mail. They should also update their Internet Explorer version to IE 5.5 SP2 or IE 6.0.
To summarize corrective action (if your server is infected):
- Here we quote TruSecure's Surgeon General Russ Cooper: "If you need to keep it up and running, disconnect it from infection vectors, restore it from tape or reformat and install fresh, then patch it. Restore the data (even if it's infected), run the currently available cleanser, and scan it again with your anti-virus software product. If it passes, reconnect it to the Net and carry on."
- More ideally, Cooper believes that the server should remain down until a comprehensive cleanser arrives within a few days from one of the anti-virus software vendors such as McAfee or Symantec. He recommends using more than one cleanser to be on the safe side.
To summarize corrective action (for end users):
- Scan and cleanse your system with anti-virus software.
- Download the Internet Explorer upgrade.
For details on how the virus behaves and more information about corrective and preventive actions, consult any of the major anti-virus software vendor sites.