Important Info on Nimda Virus!

Contents:

  • Description and threat assessment.
  • How to tell if you have Nimda Virus.
  • How to get rid of Nimda Virus.
  • How to protect your systems from Nimda.

Description and threat assessment:

Many of you may have heard of the latest virus called 'Nimda' which is the reverse spelling of 'Admin'. There has been some low-key spotty news coverage and some misinformed news networks have even gone as far as to say that 'it does not affect home users.'

It Affects Everyone!

This Sunday, just browsing the Internet looking for sports equipment, we encountered a MAJOR retail sporting goods company web site infected with the Nimda virus! This site tried to infect our computers JUST BY VISITING THEIR SITE! Had we not been prepared and known of the threat, the browsing computer, and soon the entire network to which it was attached, would have been infected and required many hours, if not days, to eliminate!

This virus surfaced on Tuesday September 18th almost one week to the hour as the attacks on New York. It is estimated that over 3 million computers were infected the very first day.

How to tell if you have Nimda Virus:

Quick Test:

Choose Start - Find Files or Folders or Search depending on the operating system you are using. Enter *.EML as the file name to find. Don't forget the asterisk (*) and don't forget the dot (.). Make sure you are searching your C drive first and that the option to search sub-folders is checked.

If any files are displayed, then the machine may be infected and should perform the Acid Test below. If no files are displayed, then you should continue to check any other drives you may have.

Acid Test:

Choose Start - Find Files or Folders -or- Search depending on the operating system you are using. Make sure no file name is specified! Find the option 'Containing Text' and enter Concept Virus in the text to find. Make sure you enter this text exactly as shown in the bold face, including the case. The C and V must be upper case letters and the rest lower case. Again make sure you are searching your C drive and the include sub folders option is checked. Searching for text in this manner will take some time! Be patient as your computer looks at every file.

If any files are displayed then your system is most likely infected and you should read the section about getting rid of Nimda. If no files are displayed, then chances are that you are not infected as Nimda tries to home in on your main boot drive.

How to Get Rid of Nimda Virus:

The best way to rid your computer of Nimda is through the use of commercial virus removal software. However, sometimes it is not possible to install virus software on infected machines due to the heavy damage already inflicted. Nimda will also attack and infect otherwise working virus programs that may have already been installed.

Below are the steps we have taken when dealers have called requesting assistance. These instructions are provided as historical information only. We can make no claims that they will work in all cases as everyone's situation will be different.

Important! Performing these steps can result in your computer losing critical operating system files preventing it from booting! You may be left with no choice but to format your hard drive and re-install your operating system.

Read ALL these instructions and make sure you understand the implications before you start.

  1. Make sure your network is disabled. Unplug the power from routers, hubs, and all other networking devices. Nimda will spread quickly through your network and re-infect machines faster than you can clean them.
  2. Make sure your computer BIOS can boot from CD and that this function is enabled.
  3. Make sure you have the operating system CD that came with your computer.
  4. Obtain a commercial virus scanning software product that can be loaded without need for the Internet or a network connection.
  5. From a known clean machine, make sure you download the latest virus definition files from the manufacturer of your virus software. You will most likely need to download them from the Internet and use diskettes to transport them to the infected computer.
  6. After creation, make sure your virus definition diskettes are read-only by switching the tab on the diskette.
  7. Only the very latest, most up-to-date, right down to the minute, virus definition files will detect and remove Nimda! You are wasting your time if you do not have up-to-the-minute virus definition files from your software manufacturer.
  8. Install the virus software and provide the latest definition files you downloaded.
  9. Disinfect your computer following the instructions from the manufacturer.
  10. Continue the same process with every computer on your network.
  11. Do not re-enable your network until you are certain that all traces of the virus have been removed from all machines participating in the network.
  12. Do not connect a new computer to your network until you are certain it does not contain the Nimda virus.

What to do if you cannot load virus software:

  1. Delete the known virus-containing files from your computer.
  2. Warning! Data will be lost!
  3. Choose the File - Find/Search routine again.
  4. Enter *.EML as the file name to search for. Don't forget the asterisk (*) and don't forget the dot (.). Make sure your C drive is selected and the search sub folders option is selected.
  5. Delete any files found in this search. There may be thousands. Repeat the delete on any additional drives you may have.
  6. Perform the same find and delete routines again except this time use *.NWS as the file name to search for instead of *.EML. Don't forget the asterisk (*) and don't forget the dot (.).
  7. Perform the same find and delete routines again except this time use README.EXE as the file name to search for and delete.
  8. Perform the same find and delete routines again except this time use ADMIN.DLL as the file name to search for and delete.
  9. Perform the same find and delete routines again except this time use RICHED20.DLL as the file name to search for and delete.
  10. Perform the same find and delete routines again except this time use LOAD.EXE as the file name to search for and delete.
  11. Make sure that none of the named files in steps 4 through 9 exist on your computer before continuing. Make sure you have removed them from any and all drives you may have.
  12. Warning! This next process may delete critical Windows system files and prevent your computer from re-starting!
  13. Choose the find/search routines again and this time make sure the file name is blank. Make sure no file name is specified! Find the option 'Containing Text' and enter Concept Virus in the text to find. Make sure you enter this text exactly as shown in the bold face, including the case. The C and V must be upper case letters and the rest lower case.
  14. Delete any files containing this text. The hard facts of this virus are that even though some files shown in the results may be critical to Windows operation, the only option is to delete them because Nimda has already altered them beyond repair.
  15. On Windows 95/98 systems, open the system.ini file in your Windows System directory.
  16. Find the Shell = explorer.exe load.exe -dontrunold line in this file.
  17. If you see this line, change it to read: Shell = explorer.exe and save the file.
  18. Re-boot your computer.
  19. You may not be able to re-boot and you may receive errors when you do re-boot.
  20. If you can get your system back up, repeat the steps 4 through 18 again to make sure the majority of the virus is gone.
  21. Install the virus software and provide the latest definition files you downloaded.
  22. Disinfect your computer following the instructions from the manufacturer.
  23. Continue this same process with every computer on your network.
  24. Do not re-enable your network until you are certain that all traces of the virus have been removed from all machines participating in the network.
  25. Do not connect a new computer to your network until you are certain it does not contain the Nimda virus.

What to do if you cannot re-boot your computer:

  1. Insert your operating system CD in your drive.
  2. Make sure your computer can boot from CD-ROM and your BIOS is set to boot from CD-ROM as the first device.
  3. Re-boot your computer.
  4. Depending on the operating system you are using, you may be able to choose the repair option to repair your Windows system.
  5. You may need to choose the install option and completely re-install the operating system. What this means depends on the operating system you are using and the version. Most likely you will need to re-install any software programs but data files will probably be retained.
  6. Install the virus software and provide the latest definition files you downloaded.
  7. Disinfect your computer following the instructions from the manufacturer.
  8. Continue this same process with every computer on your network.
  9. Do not re-enable your network until you are certain that all traces of the virus have been removed from all machines participating in the network.
  10. Do not connect a new computer to your network until you are certain it does not contain the Nimda virus.

How to Protect Your Systems From Nimda:

It has been reported that Nimda exploits more than 100 vulnerabilities in Win32 operating systems including Internet Explorer, Outlook Express, and Outlook. Protecting yourself from repeated infection is very important! Nimda can be passed through Internet Explorer just by browsing the web, through email, through shared drives, and through HTTP port 80 just to name a few of the known transports.

On all computers:

  1. Install virus protection software. Make sure you keep it updated regularly. Regularly may mean every day as new exploits of this virus are uncovered.
  2. If you browse the Internet, then download Internet Explorer 6.0 from the Windows Update site www.windowsupdate.com. This updated Internet Explorer warns of files being downloaded where older versions of IE will just download and install the virus with no warning.
  3. Download all critical and recommended updates for your computer from the Windows Update site. Who knows what will be found next? Return FREQUENTLY to the Windows Update site to download any critical or recommended updates.
  4. If you are using Outlook as your email program, download all updates to Office from the Office Update site www.officeupdate.com. This corrects a problem where Outlook will not see the virus as an attachment (even though it is) and just open and run it with no warning. Return FREQUENTLY to the Office Update site to check for new updates to Office.
  5. If you use Outlook, turn off the preview pane (split screen showing email details) on all folders. If the preview pane is on, the virus will auto-launch and you will be infected. It is not known if this is fixed in the latest updates to Outlook.

Network Protection:

  1. Review your drive sharing policies. Nimda exploits shared drives to infect other computers. Disconnect any unused shared drives and review carefully why and when drives should be shared. Use read-only shares whenever possible.
  2. If you are connected to the Internet, make sure you have a firewall installed by knowledgeable network consultants.
  3. Contact your network consultant now, and at regular intervals in the future, to review your network security.
  4. Make sure you know what ports are open on your router, why they are open, where they go, and that security is as reliable as possible on the receiving devices.
  5. Change your Administrator password regularly. "DDMS" is an extremely poor choice for an administrator password.
  6. Review your other network and user passwords. Long and complex passwords take less time. This is compared to the hours and even days you will spend recovering from malicious attacks on your network.
  7. Do not allow users to establish their own passwords. Do not allow users to change their passwords.

Common Sense Protection:

  1. Do not download any files from the Internet unless you specifically request them. Nimda tries to send an unsolicited file to your computer through Internet Explorer. Never accept or download an unsolicited file from the Internet.
  2. Do not open emails from suspect sources. Nimda tries to spread through email as a hidden attachment.
  3. Be suspicious of unusual subject lines in emails. Nimda may take over a known associate's email, loop through his or her address book, and suddenly send you an email with a strange subject line. It's better to be safe than sorry. Call or request confirmation with a new email if you have even the slightest suspicion.
  4. Never open an email with a blank subject line. Blank subjects lines in emails are certain viruses. Always delete them instantly and without hesitation.
  5. Beware of attachments to emails. Attachments are known to spread viruses. Make sure you know and trust the source before opening any attachments.
Brought to you by:

 

OPSoftware provides Internet and desktop applications for the independent office products dealer. You can visit the OPSoftware web site at www.opsoftware.com.