Cleaning up Nimda a headache for tech staff

Clearing out the Nimda virus from most LANs will be 'a bit of a pig' according to a local virus expert, who compares it to the FunLove virus which caused headaches for tech staff because of the way it reinfected networks.

Clearing out the Nimda virus from most LANs will be "a bit of a pig" according to a local virus expert, who compares it to the FunLove virus which caused headaches for tech staff because of the way it reinfected networks.

"It's not nasty in the way the CIH virus was - it flashed the BIOS - but yes, it will be a pig of a thing to clean up," says Christchurch-based Nick FitzGerald, director of Christchurch-based Computer Virus Consulting. CIH attacked in 1998 while FunLove was first reported in 2000.

One of the biggest problems with the Nimda worm is the number of ways it can infect a system. FitzGerald says this will lead to networks continually being reinfected if administrators aren't careful.

"It's almost to the point of having to take each PC off the network and make complete sure it's clean before adding it back to the system.

The worm can infiltrate a system in one of four methods.

"It arrives in a mass mail out with an executable attachment like Melissa. It looks for the Code Red 3.0 infection and exploits the backdoor left from that. It scans a network looking for IIS and then tries I believe 16 vulnerabilities or exploits and if it's got onto a server that's hosting a website it will add a couple of lines of Java script that causes Internet Explorer to request the virus, passing it on to the browser's machine."

This last exploit can be avoided if users have upgraded IE beyond version 5.1 service pack 2.

"That should mean they'll avoid that exploit entirely."

The attempt to exploit the backdoor left by the Code Red virus is similar to a short-lived worm called Code Blue, says FitzGerald.

"Code Blue was badly flawed - the idea was sound but the execution of it was buggy so it barely worked."

FitzGerald says the Nimda worm is also causing chaos and traffic congestion simply because of the scale of its attack. Similar to Code Red in this respect, Nimda tests each server to see if it's capable of being exploited - FitzGerald says he is seeing rates of 200KB of data a second being sent from one source and that's at the low end.

Peter Mott, head of web hosting company 2Day, says it's causing traffic in general to slow down.

"It's certainly causing traffic issues and we're being attacked quite hard. All our servers are IIS but we're completely patched and there have been no breaches, other than the performance issue." Mott describes the virus as having a "nasty little arsenal".

Join the newsletter!

Error: Please check your email address.

Tags Nimda

More about Nimda virus

Show Comments
[]