• PC World
• »Security

The Nimda worm is continuing to attack tens of thousands of servers and hundreds of thousands of PCs, as security experts scurry to provide protection and detection tools to halt the global infection.

Users of Microsoft Outlook software are particularly vulnerable to assault by the worm, which infects PCs and then sends out infectious mass e-mailings to listings in Outlook address books. The worm is using e-mail spoofing to send messages not just from the initial victim, but also from anyone whose e-mail address is on the infected system.

"The latest number we had was 30,000-plus servers," says Matt Fearnow, incident handler for Incidents.org, a Web site that tracks computer security problems, sponsored by the SANS Institute, a cooperative research and education organization. "As for PCs, it's really hard to tell, but I'd estimate a couple of hundred thousand based on the number of people who have called and e-mailed."

The number of infected servers on Wednesday could be in the "tens of thousands," say researchers at CERT/CC, the Computer Emergency Response Team Coordination Center at Pittsburgh's Carnegie Mellon University.

Files Damaged

The unknown creator of the worm, which was detected Tuesday, designed it uniquely to attack both PCs and servers.

Sharon Ruckman, senior director of Symantec Security Response, says the worm can damage several types of files and create holes in computer systems for future exploitation.

"What we found out by continuing to study it was that it was actually infecting more files than we saw at first," Ruckman says.

She says the worm can make system modifications, and modifies Web files, too. It also will change any default, index, main, and readme files on the system, and will infect executable files it discovers. Files with .eml and .nws extensions may also be replaced by the virus itself, she says.

"There is a potential to lose files and for more files to be infected," Ruckman says. "So with the detection and repair that we have provided our customers, there are also some specific manual steps that need to be done."

More Worm Analysis

"We're continuing to do analysis on what the worm does. It's pretty complex," says Roman Danyliw, an Internet security analyst with CERT/CC. "Today we still don't fully understand it, but there are lots of reports coming in and we are trying to whittle away which ones are important."

"What it does which is really unusual is that it affects both server machines and clients. It has code that works in both environments, adapted for both environments," says Gregor Freund, chief executive officer for ZoneLabs. "It looks at known vulnerabilities for the last 12 months and puts them into one 'product.'"

The ZoneLabs CEO says the Nimda worm exploits problems in Microsoft Outlook and Internet Explorer on PCs, and Internet Information Server (IIS) software running on servers.

"This is quite clever. It takes all those security issues that Microsoft had in the last 12 months and wraps them up in one package," Freund says.

Users should be vigilant about deleting e-mail bearing the worm's telltale "readme.exe" attachment, continue to update virus definitions in software security programs, and also ensure PC firewalls are properly configured.

Recovery Advice

Symantec's Ruckman says that PC users who are bitten by Nimda can use software utilities to restore their systems to pre-worm configurations and undo modifications made by the pest. Symantec markets one such program, Norton Systemworks.

Infected files that can't be repaired must be deleted. Some system settings might need to be changed, and some potential problems in the registry need to be checked and cleaned up, she says.

Microsoft has posted a patch for the IIS hole that Nimda exploits. The leading antivirus vendors include Nimda detection in their latest virus definitions. A number of other firms provide online help to detect the Nimda worm, fix software problems, and disinfect affected computers. Such tools are available from ZoneLabs, Symantec, McAfee.com, TruVector, and CentralCommand.