If the Nimda virus does not have any particular signature, how do I pr

If the Nimda virus does not have any particular signature, how do I protect myself from it?
-David

This question was answered on September 24, 2001. Much of the information contained herein may have changed since posting.

The 'Nimda' worm (many speculate that it is Admin backwards) that was discovered on September 18th is by for one of the most cunning and comprehensive worms that we have ever seen

It incorporates multiple methods to infect and propagate which helped it spread quickly and cause slowdowns throughout many networks.

Nimda uses three different methods of propagation, which are: via a download from an infected web server, through port scanning and via an e-mail message.

The e-mail message delivery method is of particular concern because this is one of the few e-mail worms that don't require you to open a file attachment in order to infect your system It uses a combination of known tools and vulnerabilities to automatically run as soon as you access an infected message.

To make things worse, it has no easily identifiable signature such as a subject line or body text that can help users spot these rogue messages

The main vulnerability is as a result of a 'hole' in the Internet Explorer browser versions 5.01 and 5.5 Version 6 of Internet Explorer does not have the vulnerability

In order to get yourself out of the path of this current worm, you need to make sure Internet Explorer has been patched with Service Pack 2, which is available as a free download from Microsoft's web site (A link directory is available at <a href="http://www.datadr.com/nimda" target="_blank"><font color="#003399">www.datadr.com/nimda</font></a>)

Service Pack 2 will close the hole that is being used by the worm and will keep it from automatically launching and spreading.

In addition, it is critical that you update your anti-virus program with the latest definition files so that detection and removal of the worm can be added to your system.

Another way of contracting the worm is from visiting a web site that is hosted by an infected Microsoft IIS web server When you go to an infected web site, it will immediately prompt you to download and open a 'readme.exe' file through a pop-up dialog box If you encounter such a site, be sure to click on the 'Cancel button' to avoid downloading the worm A screen shot and a link to the proper IIS patch are also both available at <a href="http://www.datadr.com/nimda" target="_blank"><font color="#003399">www.datadr.com/nimda</font></a>.

Any infected computer will automatically begin to scan for other machines that it can infect through what is called 'port scanning' This is why many large corporate networks were brought to their knees during the initial outbreak

Another security concern for corporate and end users is that any infected machine will open a 'share' on all drives which can make them accessible via the Internet or other machines on the network.

If you think that you may have contracted the worm, you should unplug your modem, broadband Internet or network connection so that it cannot continue to spread then download the current patches and anti-virus updates from another uninfected computer and install them.