The Nimda Virus

The 'Nimda' virus/worm.

This is probably the most infectious virus/worm that I've seen yet.

I saw my first nimda infection today, and I expect I'll see a lot more over the next few weeks.

This one is nasty because it is the first Internet Worm to cause infection by first infecting a web server and then sending out the virus to people viewing the web pages from the infected server. Not only that but it exploits a number of other software bugs to infect through e-mail as well.

It can arrive in your e-mail as a message with no subject line and an attachment called readme.exe.

Note: Load the current security patches before opening previewing or deleting any suspect messages (see below) Nimda doesn't seem to do much other than send out infected e-mail right now, like most of the recent e-mail worms, but you should protect yourself now, the next version could cause real damage.

How do tell if you are vulnerable or infected?

Because this virus is being distributed by infected web servers, almost everyone who browses the web will be exposed to this worm sooner or later.

If you have applied all the patches from the Windows Update Site you are probably safe.
If you are running Internet Explorer 6, Windows XP or Netscape you are probably safe.
Your Internet Explorer Security settings are set to 'High' you are probably safe.

If the above does not apply to you and you've been browsing the Web you may be infected.

If you have anti-virus software, update your data files and scan your system.
If you don't have anti-virus software, open your C: through the My Computer Icon and press F3 (Search). Do a search for a file named load.exe, if you find it, you are probably infected.

How do you protect yourself from nimda?

Apply all the security patches available from the Windows Update Site and/or
Install Internet Explorer 6

What to do if you are Infected?

If you are infected, you will need an up to date Anti-Virus program to remove it, and you will probably have to run the scan using the emergency boot disks created by most anti-virus software during installation.

Note: If you are running Windows ME you will need to disable the System Restore function before cleaning the system. Follow these steps to disable the system restore function.

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.

Even after you clean the infected files off of your system, there is still more that has to be done to clean up the damage caused by the infection.

The file riched20.dll has to be reloaded from the Windows install CD by using the SFC utility on Windows 98/ME. Click Run on the start menu and type SFC.
(On Windows 2000 type the SFC utility is a command line utility and much harder to use.)
Edit the file C:\windows\system.ini with Notepad, find the line that reads:
Shell=explorer.exe load.exe -dontrunold edit it to read Shell=explorer.exe
Save the file.

There is more detailed information in the McAfee Virus Information Library; type nimda in the 'limit search to' box and click the 'go' button.

The McAfee site also has a special tool for cleaning up nimda at the AVERT Tools Page I haven't tried it yet, but it it may be easier than any other method of cleaning up after nimda. Read the 'Text Instructions' carefully before trying this utility.

If you are not comfortable cleaning nimda off of your system, or installing the security patches yourself, contact a qualified computer service provider.

I can be contacted for help on southern Vancouver Island.

Back to the article Index ● Back to the Great White North Home Page

Rick Macmurchie
Phone: (250) 658-6319
E-Mail: rmac@novatone.net

Hit Counter