Office of Information Technology
Home
Calendar
Map
 Home
 Computing
Library
Search

Security: How-To Guides

Security Home Statistics Virus/AntiVirus Policies &tc How-To Guides Get Our Attention
Quick Find
Nimda Worm and Variants (9-18-2001)

Summary
Affects:

All Windows Operating Systems
Internet Explorer versions 5.01, 5.5
Type: Worm
Threat: Typically replicates over email, network shares, backdoor left by Code Red, and IIS folder traversal vulnerability.

Once on a system, it also attempts to create and open network shares.
Fix:

McAfee with DAT 4159 (or greater)

Download and install appropriate patches

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment

Patch for Internet Explorer 5.01 and 5.5 Outbound Link

15 August 2001 Cumulative Patch for IIS

Patch for IIS 4.0 Outbound Link
Patch for IIS 5.0 Outbound Link

Return to Top


Official Releases

Vendor Reports

McAfee's report Outbound Link
Sophos's analysis Outbound Link
Microsoft's Official Announcements & Press Releases

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment: Microsoft Security Bulletin (MS01-020) Outbound Link
15 August 2001 Cumulative Patch for IIS: Microsoft Security Bulletin (MS01-044) Outbound Link

What to Do Next - Prevention (No Current Infection)

Update McAfee DAT to most recent available


What to Do Next - Removal (If Your System is Infected)

Update McAfee DAT to most recent available
OIT's recommended removal method, using McAfee's NFRVScan tool
Note that this tool "will detect and remove the virus and the associated files the virus affects. It will NOT remove the network shares or the guest account created by W32/Nimda@MM."
1. Download the stand-alone removal tool for the Nimda virus: nfrvscan.zip (also available directly from McAfee)
2. Unzip the file you just downloaded, using WinZip Outbound Link or a comparable program.
3. Install all necessary Microsoft patches and Windows Updates before proceeding

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment: Microsoft Security Bulletin (MS01-020) Outbound Link
15 August 2001 Cumulative Patch for IIS: Microsoft Security Bulletin (MS01-044) Outbound Link
4. Open a command prompt (You can click on Run under the Start Menu, type cmd and hit Enter).
5. Once you have your command prompt open, go to the directory you unzipped into in Step 2.
6. To scan all local drives, type nfrvscan /drives at the command prompt.
Other removal tools
Symantec Nimda.A Removal Tool Outbound Link
Symantec Nimda.E Removal Tool Outbound Link



OIT Security: Footer
NOTE: " Outbound Link" Indicates a link to an external (non-UMBC)

Last modified: 2/3/2003
Office of Information Technology • Main Office: ECS 125 • Phone: 410-455-3838 • Email: oit@umbc.edu