Cleaning out systems infected by the Nimda worm could prove to be a much harder and more time-consuming task for users than getting rid of other pieces of malicious software.
Many of the standard antivirus software and patches currently available aren't enough to correct the multiple problems Nimda causes to infected systems as it spreads, users and analysts said.
Among other things, users affected by the quick-spreading worm need to reset and restore changes it makes to numerous critical files and registry keys because those changes aren't fully addressed by today's antivirus software. And they need to make sure that a key change leaving a system open to future attacks is closed, said Russ Cooper, an analyst at security firm TruSecure.
As a result, until more sophisticated fixes become available, the only sure recourse in some cases is to disconnect infected systems from the network, reformat that system's hard drive, reinstall software from a clean source, and apply appropriate security patches, according to recommendations by both Carnegie Mellon University's CERT Coordination Center and by the SANS Institute.
"Nothing is cleaning this virus....The tools out today simply delete or quarantine the infected files," said one frustrated e-mailer to Computerworld who requested anonymity.
"We have had 50,000 to 100,000 infected files in my data center alone and we were patched all the way up," after the Code Red attack, he said. "We are smart people....This one just won't be stopped."
The Nimda worm, reports of which first began flooding into mailing lists and security firms on Tuesday morning, is a mass-mailing piece of malicious code that infects systems running Microsoft Windows 95, 98, ME, NT and 2000.
Unlike other worms and viruses, Nimda is capable of spreading via network-based e-mail, as well as by Web browsers. It has also been tuned to look for and exploit backdoors left behind by previous viruses such as Code Red and Sadmind.
In terms of a payload, Nimda's main objective is to try and propagate itself via various means, including modifying Web content on infected Microsoft Web servers, according to Allen Householder, a CERT member.
In the process, the worm does a number of insidious things, such as modifying critical system files and registry keys, making every directory available as a file share, and creating a guest account with administrator privileges, Cooper said.
"The worm infects numerous binaries on a victim system, such that any time one of the infected executables is run, the worm is launched," according to a SANS advisory.
"In addition, the worm positions itself in such a way that when document files are opened in [text] editors, the worm code is executed. These characteristics make it incredibly difficult to clean the worm from an infected system," said the advisory.
As a result, "running [antivirus software] alone will not fix the problem," said Edward York, chief technical officer at 724, an application hosting service.
"The server must be secured all over again. All open shares closed, the Hot Fixes reapplied, the guest account disabled again, and all traces of any file called root.exe or admin.dll deleted from the system," he said. Administrators also need to ensure that any registry items added by Nimda have been removed, he said.
