News Stay informed about the latest enterprise technology news and product updates.

Nimda: Setting a sinister standard?

The nightmarish Nimda and the worms that are sure to follow in its squirmsteps will look for new ways to catch you with your pants down. SearchWin2000 is trying to fit you with a good "belt" to keep your trousers up.

Last week's Nimda worm, which burrowed its way into thousands of computers, foreshadows future computer attacks, experts say. But fortunately there are a lot of common-sense approaches to preventing infection.

Nimda, which is "admin" backwards, is a hybrid worm able to infect both servers and desktop computers. The worm can infect Windows 2000 servers plus PCs running various versions of Windows. Nimda spreads in several ways, including via an e-mail attachment and scanning for vulnerable Web servers running Microsoft's IIS. The worm can also copy itself to shared drives on intranets and even add itself to a Web page. Just looking at the page is enough to get infected.

Winternals' Nimda fighter
Winternals Software is just one dealer that offers a counter nemesis to knock Nimda from Windows 2000/NT systems. The Austin, Texas-based company's NTFSDOS Professional product works with virus scanners to clean systems and repair the damage caused by Nimda and other viruses.

NTFSDOS Professional boots the infected system in an MS-DOS environment where the virus cannot operate. The tool provides full read/write access to NTFS drives, allowing virus scanners to clean the computer and enable users to rename, remove, or replace infected files using a command-line interface.

Other Winternals tools, Remote Recover and NTRecover, can replace deleted files, making the system operational once more. This method eliminates the need to reload the operating system and other applications.

Winternals' tools work on other malicious code such as Code Red, Sircam, and Magistr viruses.

Last week, Windows administrators had their hands full as they needed to essentially should down desktops and servers to install the necessary patches. Nimda, also known as readme.exe and W32.Nimda, causes systems to slow down but doesn't destroy data. It is also fairly visible to users.

Yet future worms may have more sinister consequences, according to Joel Scambray, author of the book "Hacking Windows 2000 Exposed" and managing principal with Foundstone Inc., a security consulting organization.

"You are going to see more hybrid worms attacking both Windows and Unix Web servers," Scambray said.

Preventing infections from worms such as Nimda requires a mixture of technology and policy. Keeping anti-virus software up to date is a given. Keeping tabs on patches from Microsoft is another vital step. System vulnerabilities can be plugged before infection if the staff is well informed. For example, Nimda exploits long-known vulnerabilities in IIS.

E-mail leaves companies open to infection, as end-users tend not to be tech savvy. "I see e-mail attachments as the future of hacking. Companies can't really block e-mail," Scambray said.

However, companies can ensure employees don't open attachments unless the file and sender are recognizable. There are also ways to configure e-mail programs to screen some kinds of attachments.

Resisting infection from surfing the Web is not as straightforward, said Frank Prince, an analyst with Forrester Research of Cambridge, Mass. The kind of content on a site doesn't translate into how secure it is. For example, a site that sells home goods may be a big security risk while a gambling site may be very secure, he said.

"There is no way of telling if a site is the equivalent of walking down a dark alley," Prince said.

Keeping Web browsers up to date prevents infection from the worm, Prince said. Nimda appears to be a sound file to browsers. Newer browsers would recognize the file is not a sound file and not open it. Older browsers may open the file and allow the worm to infect the system.

Another useful step is to monitor normal CPU usage. Such data serve as a baseline so administrators can tell if CPU is spiking while nothing is running. A good sign of Nimda infection is increased CPU usage while nothing is running, said Mark Edmead, an independent Internet security consultant.


SearchWin2000's collection of Nimda-related stories

SearchSecurity's collection of Nimda-related stories.

SearchWindowsManageability's Windows security forum.

Got a security question? Try to stump our expert (good luck!) in searchWin2000's Ask the Expert section.

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.