Due to the nature of changes made by the worm during its infection phase, antivirus vendor Symantec cautions, "Once a computer has been attacked by W32.Nimda.E@mm, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection." That possibility notwithstanding, Symantec makes a notable effort to undo the security changes wrought by Nimda.e. For optimum security, infected systems should be reformatted and restored from clean backups.
To counter the potential threat, Symantec has released an updated Nimda removal tool specifically for the "E" variant.
A Nimda removal tool is also available from antivirus vendor F-Secure. One advantage to the F-Secure tool is that it is a single tool capable of detecting and removing all known variants of Nimda.
Nimda.e is functionally similar to its parent, with only a few minor changes:
- The email attachment name has been changed to SAMPLE.EXE instead of README.EXE
- Rather than dropping ADMIN.DLL as did the original Nimda, the Nimda.E variant drops HTTPODBC.DLL
- Instead of copying itself to the Windows\system folder as MMC.EXE, Nimda.E copies itself as CSRSS.EXE.
As with the original Nimda worm, Nimda.e does not confine its spread to email. The worm can also spread via the Internet by compromising unpatched Microsoft servers, via network shares, and by visiting websites infected with the virus. Like its predecessor, Nimda.e exploits various known vulnerabilities in the Windows operating system. Applying the appropriate patches will prevent inadvertent infection, such as might occur if visting an infected site or receiving the Nimda email if unpatched. For a list of these patches and the systems to which they apply, please see the original Nimda description.
Though Nimda.e did not achieve initial widespread saturation as did the original Nimda worm, as of February 2004 over 2 million systems had been infected. Indeed, the Nimda.E worm seemed to have made something of a comeback in early 2004, topping antivirus prevalency charts once again.
Antivirus software is readily capable of detecting and removing all known variations of the Nimda worm. However, future variants of the worm may go undetected until specific updates for those variants are applied. Patching systems to prevent exploit is essential. Filtering programs designed to block all executables will prevent the worm's spread via email, thus mitigating the DDoS attacks spawned. For Windows desktop users, MailDefense prevents the infection and spread of the virus via email. The Content Filtering section of this site provides several server-based filtering options as well. Additionally, firewalls that monitor and block unauthorized inbound and outbound connection attempts will prevent the worm from spreading. ZoneAlarm and Tiny Personal Firewall are both highly suited for protecting Windows PCs.
Also see:
