Nimda Virus Update: You are more vulnerable than you were a week ago

Date: mid-September, 2001
Author: Eric Fletcher, Protologic Corporation (Protologic.com)*
Questions / Comments? Contact David Bilinsky

This article was prepared in mid-September, 2001 by Eric Fletcher of Protologic Corporation (Protologic.com)* in wake of the emergence of the Nimda computer virus. Mr. Fletcher is co-author with Practice Advisor David Bilinsky of the chapters on Hardware and Software for CLE Annual Review of Law & Practice.

Last week was an ugly week with tremendous amounts of time spent by many in our industry fighting an ugly new virus that exploits yet another flaw in Microsoft's security strategy. This virus is still rampant and you can acquire a copy as easily as visiting an infected web server. You can also acquire it through e-mail and most users risk being infected without electing to open an e-mail attachment. It is, honestly, still running rampant.

Our own web servers are currently experiencing about 300,000 hits an hour from other web servers all over the world and from an interesting assortment of time zones attempting to infect us. Internet performance overall is still severely degraded by the amount of bandwidth dedicated to carrying the virus — utilization in excess of 40% in North America at one point.

Many of us are dependent on the Internet and/or our e-mail to do business. The first thing we all need to do is to make sure our systems are not infected in an attempt to reduce the demand on the Internet and to make sure we are not infecting other people. I'll show you how to do this for free. The second thing we need to do is to tighten security on our systems so that we are not so easily affected.

FIRST – Make sure you are not infected (it's free).

When we first encountered the virus, there were no tools available that would detect it or remove it. We monitored several of the popular anti-virus sites while finding our own solution and methods of dealing with it. While I am a Norton Anti-Virus fan personally, one company that did a heck of a job was Trend Micro, publishers of an anti-virus product called PC-Cillin. They have a product, available for use for free from their site, which will check your system for viruses, including the new and menacing Nimda virus, and then provide you with a list of infections and an opportunity to have the program deal with them for you.

After receiving a clean bill of health from my favorite virus checker, this tool found archived copies of several well known viruses that haven't been around since 1997 as well as a copy of Nimda (our own steps had already prevented it from infecting others).

It's important to understand that this tool does not provide ongoing virus protection; it simply checks your system at this point in time. If you want ongoing protection, you need to make sure you have installed a virus-checking product and that your virus signature files are updated frequently (even though that would not have helped in this case). You can use this free tool at http://www.antivirus.com/free_tools. There you will see a screen as follows:

 

You need to click on the "HouseCall for PCs" area at the bottom of the picture. This will take you to a page where you can register to receive information about viruses and anti-virus products as they are released. You may also choose to continue without registering. This will take you to the following screen:

You may see a list of drives that is a bit different than the list in the illustration above. When the screen first appears, the SCAN button in the upper right-hand corner will be greyed out and inactive while the virus-checking program is loaded onto your computer. When the SCAN button highlights and the text becomes black rather than grey, select the drives you want to scan by clicking in the box next to the drive letter. I suggest you check only the drives on your own machine (typically C and D). Once this is done, click on SCAN. You can go off and do other work on the system while the scan is taking place. This will check your system for most known viruses including the latest menace, Nimda, and will offer to remove it for you if you have become infected with it.

SECOND – Take a few minutes to modify your security setting to something other than the Microsoft defaults — nasty people are taking advantage of them.

This is serious stuff and, if you use the Internet, you really should stop what you're doing right now and take a few steps to try to protect yourself.

You can become infected with this latest virus just by viewing a website on an infected server. The virus can also hide in an e-mail (it doesn't even show as an attachment!) and infect you without you knowing it. While this virus doesn't seem to destroy data, it does spread itself through your computer and slow things down quite a bit, and other viruses that use this infection technique may come along later with much more malicious intent causing you to lose everything stored on your machine. Right now, only Microsoft Windows(tm) is vulnerable, so these steps apply only to Windows and Windows users.

Step 1 – If you have automatic file downloads enabled in your Internet browser, disable them.

All this will do is add a message to warn you that an attempt to upload a file to you has taken place and been blocked. You may already have seen a screen similar to the one below and be feeling secure. Unfortunately, there are a variety of ways that a malicious or infected website can automatically answer the question for you and cause you to accept the download.

If you do not make the following change, you will be vulnerable and if you visit an infected website (there are now hundreds of thousands of them) you will become infected. Now would be a good time to check, right now!

From the menu at the top of the screen in Internet Explorer, choose Tools then Internet Options then the Security tab. You should see a screen that looks something like the following:

If you aren't comfortable changing settings, simply drag the security bar on the left side of the bottom half of the screen upwards to set HIGH security. Unfortunately, this will also disable cookies, so sites you may visit regularly that use cookies to remember who you are will not be able to remember you. If you want more control, and don't mind changing the settings, click on the Custom Level button. You should see a screen similar to the one below:

Scroll down the list to the Downloads / File Downloads section, click on disable, click on OK and then Apply. Your system should now refuse attempts to upload a file to you and you should see a message something like the one below if one is attempted:

When you see this, if you are trying to download a file from a trusted source from whom you have requested the download, simply go back into the Downloads / File Downloads section and Enable file downloads long enough to download the file. To be really safe, don't do any surfing on any other sites while downloading the file because any site will be able to upload a file while the settings are set this way. When you are finished, simply set the downloads option back to disabled. It's a little extra work when you do want to download a file; however, nowhere near as much work as disinfecting your computer or reloading all of the programs.

Step 2 – If you don't have anti-virus software installed, install it now.

While step one should protect you from an automated file download without your knowledge while viewing a website, you are still vulnerable through your e-mail. This most recent virus appears to have managed to hide the attachment in an e-mail and to automatically open and save the attachment even before you open the e-mail. It seems to be able to do this from the preview pane.

While the anti-virus software won't stop the attachment from showing up on your system, it can be configured to automatically inspect each new file and in this way catch and halt any infected programs that do show up. There is one catch though. You need to update your virus program frequently. Unfortunately, none of the anti-virus programs we are aware of were able to detect this virus. Within 24 hours of it starting to show up, most of the companies had posted updates and, as long as you downloaded the update, you were protected from that point forward; however, millions of systems were infected and many systems are still infected and continue to propagate the virus without the user knowing (one indication that you are infected is reduced performance).

If you have anti-virus software installed and have not updated it since Tuesday, September 18th, you need to do this now. If you don't have anti-virus software installed, you need to acquire it now. Gone are the days when you could protect yourself by not surfing adult-oriented websites and not opening e-mail attachments — any infected server can infect you and newly reported flaws in Outlook and Outlook Express security allow an e-mail to infect you without even indicating that there is an attachment.

This is not a sales pitch. While we would be pleased to supply it, time is critical here. You can acquire the software faster by downloading it directly from the publisher or one of their online affiliates. I'll include links to a number of the popular anti-virus software websites at the end of this article, these will be for the free 30-day evaluation copies where we can find them. These are all generic links. Protologic is not taking commissions and are in no way involved in the transaction. You need to take action now.

Finally – Suggestions, patches, disclaimer.

At least for the time being, you may want to consider closing your copy of Outlook, Outlook Express or any other e-mail client while you are away from your desk, certainly overnight. There is no advantage in automatically downloading e-mail while you are not there or able to shut the system down quickly if something doesn't look right. Similarly, I recommend that you not leave Internet Explorer open and displaying a website while you are not using it unless there is some compelling reason to do so. There are patches available from Microsoft that may be effective in reducing or eliminating some or all of the currently known vulnerabilities. 

For many users, applying these patches on your own is not practical or the instructions or warnings are not easily understood. If you are interested in applying them, we would be prepared to assist at our standard onsite support rates; however, that is not the purpose of this communication. We cannot talk you through applying system level software such as this over the telephone. 

Viruses are just one threat to computer systems that are circulating over the internet. Users are advised that other steps should be taken, including installing a robust firewall that helps to isolate your system from hackers and unauthorized users.

While we believe the steps recommended in this document are prudent, they are not a cure-all and no virus protection software or firewall software or a combination of the two offer complete protection. Your system may still become infected or compromised and you may still suffer complete and irrecoverable loss of your data. Protologic makes no representations to the contrary and accepts no liability under any circumstances. While we can provide and install even more effective means of reducing the chance of infection, the cost is high and there is no absolute guarantee that something won't get through. You can minimize your risk significantly at little or no cost simply by implementing what is presented here.

*     *     *

Useful links for acquiring anti-virus software::

For Norton Anti-Virus: http://www.symantecstore.com

For Trend PC-Cillin: http://www.antivirus.com/pc-cillin

For McAfee VirusScan: http://www.atomictime.net/antivirus.html 

For Alladin e-Safe: http://www.ealaddin.com

For Central Command Anti-Virus eXpert: http://www1.buyonet.com

For Command AntiVirus: http://www.digitalriver.com

For F-Secure AntiVirus: http://www.buyonet.com

For Kaspersky(tm) Anti-Virus: http://www.kaspersky.com

For Panda AntiVirus: https://shop.pandasoftware.com

For Norman AntiVirus: http://www.norman.com/en

For Sophos Anti-Virus: http://www.sophos.com/downloads/products

For Frisk F-Prot(tm): http://www.frisk.is/f-prot/download


*Protologic provides network systems integration, installation and technical support of computer systems, advanced telephone systems and Internet presence solutions. Mr. Fletcher can be reached at (604) 990-8150 (ext. 300) or at support@mail.protologic.com. [Back to text]