Excellent Info on NIMDA worm

This is long, but worth reading. You might wish to print it out since it contains detailed instructions. It is a very good explanation of how the NIMDA worm, well, worms its way into PC's and what users can do to safeguard themselves

I received the following in Patrick Douglas Crispin's e-mail newsletter "Tourbus". For archives and subscription information, go to his site http://www.TOURBUS.com

----------
Nimda
----------

As if the events of the past week haven't been enough to deal with, there is a new virus/worm called Nimda. Every computer running Microsoft Windows 95, 98, 98SE, ME, NT, or 2000 is vulnerable. Computers running non-Windows operating systems (like Macs and Linux boxes) are *NOT* vulnerable, though.

How is Nimda different from the squillion other viruses out there? Well, if you'll pardon my using an analogy, most viruses try to break into your computer through your front door. Close the front door and the virus ceases to be a threat. Nimda tries to break in through your front door, your living room window, and your chimney. Close the
front door and you're still vulnerable.

In other words, you're going to have to do a bit of work to protect your computer from Nimda.

----------------------
Closing the Front Door
----------------------

Update your virus definitions. This closes the front door. How do you update your virus definitions? That depends on the antivirus program you use. Norton Antivirus has a "Live Update" button built into the program; click on it, and Norton automatically downloads and installs the latest virus definitions from Net. McAfee VirusScan has
a similar update function (go to File --> Update VirusScan).

And, of course, *NEVER* double-click on any file, especially an email attachment, regardless of who the file is from, until you first scan that file with your antivirus program.

As long as you update your virus definitions weekly and never double-click on attachments without first scanning those attachments, you're pretty well protected from *most* computer viruses.

But not Nimda.

------------------------------
Closing the Living Room Window
------------------------------

Nimda also exploits a well-known hole in the PC version Internet Explorer (other versions, including the Mac version of Internet Explorer, are *NOT* affected by this hole). According to Microsoft, Internet Explorer does not handle MIME (Multipurpose Internet Mail Extensions) headers in HTML e-mails correctly. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the excecutable on the user's computer. If this occurs, the executable can take any action on the computer that the user can take, including adding, changing, or deleting data, communicating with Web sites, or reformatting the hard drive.

Fortunately, Microsoft patched this hole back in March. And finding, downloading, and installing this patch couldn't be simpler: just run Windows Update and download *ALL* of the critical updates.

There are a couple ways to run Windows Update, but the easiest is to launch Internet Explorer and then go to Tools --> Windows Update.

You can also go to Start --> Settings --> Windows Update.

Either way will automatically redirect you to Microsoft's Windows Update page at http://windowsupdate.microsoft.com/default.htm

On the top left side of the Windows Update page, click on the "Product Updates" link (it is the one with the hand and the red *). A pop-up window will appear, telling you to wait while your computer DOESN'T send any information to Microsoft (well, that's what it says!)

Eventually, you'll see a page that says "Select Software." When Microsoft releases an essential update or patch to close a security hole in Windows, they put it in this page's "Critical Updates" section.

Microsoft also puts a bunch of other, non-essential stuff on this page, but you can ignore that. You are here for the Critical Updates.

Select (or click on) EVERYTHING in the "Critical Updates" section -- you need *ALL* of the critical updates -- and then click on the big, gray "Download" arrow in the top right hand corner of the page. Then, just follow the on-screen prompts.

This closes the living room window.

By the way, if you run Windows Updates and don't see any Critical Updates, don't panic. This just means that your version of Internet Explorer has already been patched (and your living room window is already closed). :)

-------------------
Closing the Chimney
-------------------

You're still not done. According to our friends at CERT,

As part of the infection process, the Nimda worm modifies all web content files it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system.

[see http://www.cert.org/advisories/CA-2001-26.html for more info]

You've already taken care of the automatic execution problem in the last step (Microsoft's Critical Update patch closes that hole), but it is still possible that an infected Web page could automatically download a Nimda virus-infected file to your computer. Your computer
wouldn't be infected, though. Instead, the virus-infected file would be like a letter bomb; it will just sit there, taking up space, waiting for you to open it.

The folks at CERT recommend disabling JavaScript to avoid this problem, but I have a much more beautiful solution: download and install a "pop-up killer" like WebWasher. Nimda tries to "come down the chimney" through JavaScript pop-up window. Pop-up killers like WebWasher keep this from happening.

In other words, WebWasher closes the chimney.

Originally developed by German electronics giant Siemens, WebWasher is a filter program for PCs, Macs, and Linux boxes running either Netscape Navigator or Microsoft Internet Explorer. Once you install WebWasher on your computer, the program automatically blocks unwanted
Web content like banner ads and pop-up windows. Instead of the ads, all you see is white space -- the ads aren't even downloaded! :)

What is most amazing is that WebWasher is free for home and education use. You heard right, folks: IT'S FREE! To download WebWasher, point your Web browser to http://www.webwasher.com/en/products/wwash/download_license.htm and click on the "I agree" button. The download process is self-explanatory.

Once you download WebWasher to your hard drive (the file less than 1 Mb in size, so it should download pretty quickly). double-click on the installation file to install the program, and then follow the on-screen instructions to configure both WebWasher and your browser.

This sounds complicated, but it is actually rather easy.

That's it! You are now free to surf the Web relatively ad-free. And unlike a lot of other ad filtering programs, WebWasher doesn't change the appearance of most popular Web sites. In fact, some sites -- like Intellicast -- look significantly better without the ads!

As I said earlier, most viruses try to break into your computer through your front door. Close the front door and the virus ceases to be a threat. Nimda tries to break in through your front door, your living room window, and your chimney.

BUT, if you update your virus definitions, never double-click on attachments, download and install the Critical Update patches from Microsoft, and use a pop-up killer like WebWasher, the Nimda virus will become just like Yoko Ono: an annoying thing about which you need not worry. :P

END