home page

Coping With the Nimda Virus
and Similar E-Terrorist Attacks

© 2001 Dan Webb

Nimda's a Really Clever Virus
How It Attacks
How To Detect Nimda
How To Prevent Infection
How to Eradicate It If You're Infected
How to Rebuild Your C:\ Drive to Make Sure You Don't Get Infected Again -- an 8-hour process
New Features in Windows XP: Remote Assistance and the System Restore Function

Consultation On Site or by Phone

I'd be glad to assess or solve any problems related to virus infection, network setup, or other configuration issues in Microsoft Windows 2000 or Windows XP.  You can discuss your situation with me by e-mail, by calling my cell phone (206-818-2558), or by requesting Remote Assistance.  (See below.)  I'm an expert in configuring and using Microsoft Office products, including Outlook, Access, PowerPoint, Excel, Word, FrontPage, and Visio.

Consultation by Remote Assistance

If you've upgraded to Windows XP (which I recommend highly), you can invite me directly to your desktop through the Remote Assistance feature.  Click Start > Help and Support Center > Under "Ask for assistance," click the green arrow at the top.  My e-mail address is dan_REMOVE_THIS_SPAM_BLOCK_@danwebb.com.  My hourly rate is $120., and the first few minutes are free. 

I guarantee a cost-effective solution.  If I don't fix your problem, there's no charge.

Nimda's a Really Clever Virus

The Nimda virus ("admin" spelled backward), is probably the most insidious virus yet invented to strike Microsoft Windows-based PCs.  Considering my technology background and security awareness, if I got it, you can get it.  The affect of the virus is that it spawns so many processes, each of which is replicating the virus in new locations on your PC, it eventually takes over all the resources of your computer, rendering it useless for anything other than replicating the virus.

The A strain of the virus was discovered on September 18, 2001.  The E strain was discovered on October 29, 2001.  The E strain contains "improvements," which make it more difficult for the anti-virus programs to detect and fix it.

In my experience, Nimda replicates itself so fast, the eradication process in McAfee.com's VirusScan Online product can not keep up with it, and Nimda actually turns off McAfee's protection from infection.  In short, it kicks McAfee's butt.  Fortunately, the most recent version of Norton AntiVirus has been completely successful at preventing the spread of Nimda in my environment (Windows 2000 Pro and Windows XP Pro).

How It Attacks

Nimda uses several avenues of attack:

1) It infects e-mail messages, which can pass the infection through the Microsoft Outlook preview pane, even if you never open the e-mail message.  This is the first virus I'm aware of that has achieved this dubious distinction, which is probably how I was infected.  Up to now, if you didn't open an executable attachment to an e-mail message, you were safe.  Norton AntiVirus has e-mail protection that seems to work great with Outlook.

2) It infects Web pages and Active Server pages, and it infects visitors to infected pages who use any recent version of Internet Explorer that hasn't been updated with Microsoft's security patches.  Windows Update takes care of this.

3) It infects executable files that may be passed intentionally or unintentionally from one use to another by diskette, download, CD-ROM, e-mail attachment, etc.

4) It infects through Internet Information Server, Microsoft's Web server product, if not updated with the latest security patches.  Windows Update takes care of this.

How to Detect Nimda

Symantec's Security Check Web page provides some useful tools for detecting security risks from viruses and other malicious mischief.  Also, Symantec's Nimda Removal Tools find and fix instances of Nimda and provide a log of what was found. (See How to Eradicate ... below.)

How To Prevent Infection

The auto-protection feature in the most recent version of Norton AntiVirus, included as a component in Norton Internet Security or sold as a standalone product (at Symantec.com or at your local CompUSA), is effective in blocking Nimda infection and proliferation.  This is only true, however, if Norton AntiVirus has been updated with the latest updates.  Norton AntiVirus is normally configured to check the Symantec Web site daily or weekly for the latest updates.

In my experience, McAfee.com's VirusScan Online product is NOT effective in protecting PCs from the spread of the virus, and its rate of eradication is too slow to keep up with Nimda's rate of proliferation.

How to Eradicate It If You're Infected

There are three important tools to use in eradicating the virus if you're infected:

1) The Norton AntiVirus scan feature

2) Symantec's Nimda Removal Tool for the A strain

3) Symantec's Nimda Removal Tool for the E strain

If you've been infected, your PC may not have enough resources left to be able to download, install, or execute the removal tools.  In that case, you must rebuild your C:\ drive in such a way that you don't get re-infected during the rebuilding process.  As I found the hard way, this is not trivial.  I've detailed the process in the section below.

 

How to Rebuild Your C:\ Drive
to Make Sure You Don't Get Infected Again

Assemble All the Pieces You'll Need 

First, be sure you have a current backup of all your data files.  If you were smart enough or lucky enough to have kept all your data files away from the C:\ drive (like on D:\ or E:\), then the pain will be limited to reinstalling all your software. If your system was configured to keep data files on the C:\ drive with the operating system and application software, you're in a pickle. The trick is to get a copy of the data files, many of which have been infected, onto some storage medium other than the C:\ drive, and your infected PC is running so slowly (if at all) that this could be difficult.  If you need help with this, I can provide consulting assistance.  Please call me at 206-818-2558 or e-mail your request to dan_REMOVE_THIS_SPAM_BLOCK_@danwebb.com.

  • Purchase the current version of Norton Internet Security (includes Norton AntiVirus) that’s specifically for the version of Windows you’re going to install.
  • Download or otherwise assemble all the information and drivers you need to match your hardware components to your operating system.  You may have to use a similar PC that hasn’t been infected.
  • If you're connected to a network, be sure you know your IP address and subnet mask (unless your IP address is assigned by a DHCP server) and the workgroup or domain in which you want to be known.
  • If you have a dialup Internet connection, be sure you know the modem phone number to dial, your user name, and your password.
  • If you have a DSL Internet connection, be sure you have the installation instructions from your service provider.
  • Disconnect all external devices except the keyboard, mouse, monitor, default printer and modem.

Elapsed Time: 00:00  
[Note: This process typically takes 8 hours to install Windows 2000 or XP and Office 2000 or XP with effective virus protection.  Since the cost of consulting (8 X $120) is almost what you'd pay for a new PC pre-configured with Windows XP and Office XP, you might be better off starting with a new PC.  Such is the nature of Windows PCs.  They're now like quartz watches.  They can cost more to fix than to replace.]

Install the Operating System

  • Install Windows 2000 Pro or Windows XP -- full format drive C:, using the NTFS format, which is more efficient and secure than the FAT format.
    • If you don't have a separate D:\ drive, create a D:\ partition to keep data separate from software so you won't lose data when you have to do this again.  (Notice that I didn't say "if."  This is a Windows PC.  Be advised.)
    • Install software only on the C:\ drive or partition.
    • When it asks for a password for the user Administrator, be sure to enter a password you won't forget and that you're willing to tell to a service consultant.  I suggest you use "administrator" or "password" until you're ready to lock down security on your PC.
    • You'll need to enter your IP address and subnet mask to connect to your network, if this applies.
    • Do not install the Internet Information Server service yet (part of Windows extensions).
    • Do NOT point Windows Explorer at the D:\ drive until OK'ed later in the procedure.
  • Using the Display Control Panel, select 800x600 resolution (or higher) if available in the native video driver.
  • Add user <your Windows login user name> and designate your user name as a member of the Administrators group.
  • Log on as <your Windows login user name>, so interface changes you make are saved in this profile.
  • If applicable, share drives C: and D: to your network.
  • Update this procedure with what you've learned from previous executions of the procedure and reprint it.
  • Create your dialup Internet connection.

Elapsed Time: 02:00

Install Virus Protection

  • Install Norton Internet Security. You must have the version specifically for the version of Windows you installed.
  • Select execution of LiveUpdate to get Norton AntiVirus updates, etc. from the Web.
  • Restart to implement the AV updates.
  • Configure Norton AntiVirus to automatically repair or quarantine, not the default action (notify and ask), so it fixes found infections while you're away from your PC.
  • Execute a full scan of C: and D:.
  • Close ALL windows.
  • Start Norton AntiVirus.
  • Configure Norton AntiVirus to automatically repair or quarantine, not the default action (notify and ask), so it fixes found infections while you're away from your PC.
  • Execute a full scan of C: and D:.
  • Install the modem -- right-click My Computer | select Properties | Hardware tab | Device Manager | double-click the modem | Reinstall Driver... | Search | specify location | E: (the drive letter for the CD-ROM drive).
  • Insert the CD-ROM with the drivers for the modem and click Next.
  • If the autorun function presents a dialog box offering to install the modem, cancel and close it.
  • To set the volume of the modem, right-click My Computer | select Properties | Hardware tab | Device Manager | double-click the modem | Modem tab | set the volume control.
  • Visit http://www.symantec.com/avcenter/ and download removal tools (lower right on the page) for the most recent, high-threat viruses and save them on your Desktop.
  • Download Symantec's latest FixNimdaA.com and FixNimdaE.com removal tools to the Desktop and run both of them successively until they find zero infected files.

Elapsed Time: 04:00

Get the Latest or Best Drivers for the Modem and Sound Card

  • Download the latest drivers for the modem & sound card.  These links may be helpful if you have a SoundBlaster product:  http://soundblaster.com/support/winxp, http://soundblaster.com/downloadshttp://soundblaster.com/drivers.  
  • After downloading drivers, run Norton AntiVirus scan on the folder where they're saved.
  • If you have a SoundBlaster Audigy MP3+ sound card, install the driver shipped with the SoundBlaster Audigy MP3+ from the CD-ROM.  Then install the updated drivers -- right-click My Computer | select Properties | Hardware tab | Device Manager | Reinstall Driver... | Search | specify location | D:\Downloads\Creative Labs SoundBlaster Audigy (Win XP)\ADGXPDrvUpdate.exe
  • Make sure the default printer is installed correctly.

Update Windows

Elapsed Time: 06:00

Install Other Devices

  • Install an HP (or other mfr's) CD-Writer and backup key files onto CD-RW or CD-R.
  • Adaptec DirectCD (as shipped with the HP CD-Writer) can cause a blue-screen crash of Windows 2000, so DO NOT install it without an update that is known to work correctly.

Install and Configure Microsoft Office

  • Install Microsoft Office 2000  or XP Premium or Pro 
    • Office Shortcut Bar
    • Access Snapshot Viewer
    • Microsoft Photo Editor
    • VBA Help
  • Configure Outlook.
    • Keep your Outlook Personal Folder(s) and Personal Address Book or Contacts in D:\Outlook Data Files
    • To have control over specifying the location of Personal Folders and Personal Address Book, add support for corporate and workgroup e-mail: Options | Mail Delivery tab | Reconfigure Mail Support | select support for corporate or workgroup e-mail.
    • Select “Dial using IE or 3rd party dialer” (so it checks mail automatically if Internet access is open). • Check for mail every 1 minute -- 2 places to set this.
    • Outlook Bar Shortcuts
    • Outlook signature
  • Turn on e-mail virus protection in Norton AntiVirus.
  • Send and receive e-mail.
  • Configure Word.
    • Normal.dot
    • D:\Office Templates
  • Configure Office Shortcut Bar links.

Elapsed Time: 08:00

Install Other Applications

  • Install everything else.

New Features in Windows XP:  Remote Assistance and the System Restore Function

  • The System Restore function periodically saves your Windows system configuration.  This enables you to recover from a corruption of Windows system files.  Windows is overdue for having this kind of self-protection.  Please make sure it's enabled, using the System Control Panel.
  • Using the System Control Panel, make sure that Remote Assistance is enabled.  Remote Assistance enables you to request technical support through the Internet.  This can save a lot of time and money, lowering the total cost of ownership for Windows PCs.
  • Using the System Control Panel, enable Remote Desktop for trusted users.  This feature enables you (or someone like me) to operate your computer remotely through the Internet.  This is a great new feature in Windows.
  • Using the Add or Remove Programs Control Panel > Add/Remove Windows Components, enable Remote Desktop Web Connection .  (See instructions below.)

To install Remote Desktop Web Connection -- From the Windows XP Help and Support Center

  1. Open Add or Remove Programs in Control Panel.
  2. Click Add/Remove Windows Components.
  3. Select Internet Information Services, and then click Details.
  4. In the Subcomponents of Internet Information Services list, select World Wide Web Service, and then click Details.
  5. In the Subcomponents for World Wide Web Service list, click the Remote Desktop Web Connection check box, and then click OK.
  6. In the Windows Components Wizard, click Next.
  7. Open Internet Services Manager.
  8. Expand the folder hierarchy until you reach the local computer name\Web Sites\Default Web Site\tsweb folder.
  9. Right-click the tsweb folder and then click Properties.
  10. Click the Directory Security tab on the Properties dialog box.
  11. In Anonymous access and authentication control, click Edit....
  12. Check the Anonymous access check box on the Authentication Methods dialog box, and then click OK twice.

Notes

  • To open Internet Services Manager, click Start, point to All Programs, point to Administrative Tools, and then click Internet Services Manager.
  • Internet Information Services is installed on Windows XP Professional by default.
  • You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
  • To open a Control Panel item, click Start, click Control Panel, and then double-click the appropriate icon.

  • For information on using Remote Desktop Web Connection from the client computer, see To connect to another computer using Remote Desktop Web Connection.