Contents Computing at Cornell Home Page Site Index Search
Contents About: Services Policies Security News Help For: Students Faculty Staff Technical Support Providers CIT Contact List 		 
Computing at Cornell Security Issues for Network and System Administrators

Virus Alert: Nimda Worm

November 1, 2001: Nimda.E is a new variant of this worm with changed file names and other modifications to make it harder to detect. Detailed information is available from Symantec. NAV can detect infected files, even when using the definitions for the original Nimda.A variant, but there is also a new removal tool specfic for Nimda.E.

September 27, 2001 - Nimda reactivation warning from CERT: The W32/Nimda worm contains code that will cause an infected host to send infected mail messages every 10 days. Host that were initially infected on Tuesday, September 18th and not recovered could start sending another round of messages tomorrow, September 28th.

September 18, 2001: Some hosts at Cornell have been infected with a new, and quickly spreading worm named "W32.Nimda" or "Concept Virus Worm (CV) v.5." A CIT News Flash describes three ways this worm can be transmitted. All Windows users are urged to apply patches from Microsoft that protect against this worm.

How to Protect Against Nimda

  1. Update Norton AntiVirus. Run LiveUpdate to make sure you have virus definitions dated September 18, 2001 or later.

  2. Patch Internet Explorer and Outlook. Internet Explorer may automatically download and execute this worm from an infected web server. This vulnerability has been confirmed for Internet Explorer 5.5 and 5.01 (except SP2 versions) and may also exist in earlier, unsupported versions. For discussion see Microsoft Security Bulletin MS01-020.

    The specific patch (Q290108) fixes similar flaws in both Internet Explorer and Outlook.

  3. Disable or patch IIS web server software as described in the Code Red virus alert.

Notification of Possible Infections

When web requests are detected originating from hosts at Cornell and indicating that these hosts might be infected, network administrators are notified by e-mail of the IP addresses of the possibly infected hosts. If you receive such a notification and the host is running Windows NT or 2000, it is most likely that the host is indeed infected. Please repair the machine as soon as possible or disconnect it from the network to prevent the spread of this worm and the possible infection of other vulnerable machines.

How to Remove the Worm from Infected Systems

Other Links


Security Issues for Network and System Adminstrators

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: November 5, 2001