An FAQ is a Frequently Asked Question. We have listed here the question paired with
the appropriate answer. If you don't find the answer to your question, please visit
our customer support page or email support@HiWAAY.net.
Busy Signal Report Form: Report a busy signal.
There are currently 249 FAQs in the database.
View: By Category All
Old FAQs - We've kept these older FAQs in the archive just in case someone needs the information. These archived FAQs are no longer maintained and will certainly be out-of-date and contain errors.
Question: How do I protect my computer from the W32.Nimda.A@mm worm?
Answer:The W32.Nimda.A@mm has spread around the world. We are still seeing a large number of scans against port 80. The scans are from a new worm called . The worm is attempting to locate IIS servers, specifically the two files root.exe and cmd.exe. We have updated this FAQ constantly over the past three days and each update is grimmer than the one before as more is learned about the Nimda worm. This is what we know now:
Windows based computers not running IIS can't be infected with the worm's IIS exploit code but CAN be infected by email or by browsing a web site infected by the worm.
- It can move from system to system via email.
- It can move from system to system via open network shares.
- It can move from a webserver to a client via browsing infected web sites. This is indeed a case where a computer can be infected by simply visiting a compromised web site!
- It can move from an infected computer to a web server running IIS 4.0 or 5.0 by scanning for and exploiting via active scanning for and exploitation of the Web Server Folder Traversal vulnerability.
- It can move from an infected computer to a web server running IIS 4.0 or 5.0 by scanning for and exploiting the back doors left behind by a previous Code Red II or the less common Sadmind infection.
NEW: Microsoft has published an article called Information on the "Nimda" Worm that contains detailed instructions on securing and patching a Windows system to protect it from Nimda.
NEW: Symantec has released their tool for removing Nimda. It can be downloaded from http://firstname.lastname@example.org
NEW: Trend Micro has released a Nimda Fix Tool.
You can download the version for Home users at: http://www.antivirus.com/pc-cillin/vinfo/
"50% of the time, an address with the same first two octets will be chosen(Note: A computer does not have to have IIS installed to be targeted and scanned.) These scans and emails are what is causing the Internet congestion associated with Nimda.
25% of the time, an address with the same first octet will be chosen
25% of the time, a random address will be chosen"
"The worm searches for all open shares on the network by iterating through Network Neighborhood and by utilizing randomly generated IP addresses. All files on any open network shares are examined for possible infection. All .exe files are infected by the worm except Winzip32.exe. Next, .eml and .nws files are copied to the open network shares and the worm copies itself over as Riched20.dll to any folder that contains .doc files. The worm changes Explorer settings to not show hidden files and known file extensions."
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 272 "-" "-"|
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 272 "-" "-"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 300 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 234 "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 251 "-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 251 "-" "-"
|More information about this vulnerability may be found at:|
"The only safe way to recover from the system compromise is to format the system drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network." CERT Advisory CA-2001-26 Nimda Wormand from SARC:
"Once a computer has been attacked by W32.Nimda.A@mm, it is very difficult to determine what security settings have been compromised. Unless, by reading the logs, you can be absolutely sure that nothing else malicious has been done to the computer, it may be best to backup all data files, reformat the hard drive, and then completely reinstall the operating system and all programs. This is the only way that you can be 100 percent certain that the computer is clean." W32.Nimda.A@mm Removal ToolSymantec has posted some removal instructions that require the use of Norton Antivirus and a few manual steps to rid an infected computer of Nimda.
HiWAAY does not warrant that any of the tools and patches listed above will protect or repair a system, nor can we offer support on complex task of manually removing the W32.Nimda.A@mm worm and verifying system integrity.