What is NIMDA?
The official name of the worm is W32/Nimda@MM. The worm makes changes to Web (i.e., .html and .asp) files and certain executable (i.e., .exe) files found on the systems it infects. It also makes copies of itself, using different file names. I have personally seen it take down complete systems by altering files that were essential to the functioning of the computer, like those needed launch Microsoft Word. When it alters these files, it also adds an executable form of itself to the files, so that it can propagate itself again each time these files are accessed. On top of that, the worm creates hidden shares on the infected computer. It can also create an enabled Guest account on the machine, and grant that account Administrative privileges — giving any user who logs in under that account unlimited access to the infected system.

How does it spread?
NIMDA spreads in three different ways: e-mail, Web servers, and file shares.

First, NIMDA sends copies of itself via e-mail. The e-mail addresses come from two sources:  files in the Web cache and the contents of e-mail messages. NIMDA tracks when the last set of e-mails was sent (using the Windows registry) and repeats the process every 10 days. This process is initially triggered by viewing an infected message (opening it or previewing it in the Preview Pane).

Next, NIMDA infects Web servers by either locating a server which has already been compromised by another virus (i.e. Code Red II), or by exploiting common security vulnerabilities in IIS (Internet Information Server). These vulnerabilities can open back-doors into the infected system from outside and allow the virus to burrow deeply into the file system of the infected computer. An infected Web server will, in turn, attack other computers which connect to it.

Finally, NIMDA will search for systems on the network that have been configured with open file shares that anyone can write to. NIMDA will place infected files on all of these machines.

How does one recover from NIMDA?
Unfortunately, the only 100% safe way to recover from NIMDA is to reformat the infected computer and reinstall the operating system from scratch — which is the reason NIMDA has taken so much of my time over the last several weeks. There are tools for cleaning the worm available from Symantec and other anti-virus sources, but I even encountered one system that would re-infect itself within a few hours of being cleaned. Plus, with the possibility of hidden shares and unauthorized remote access to infected systems posing a severe threat, I feel much safer knowing a computer system has never been hit with NIMDA.

The good news is that NIMDA has caused so many problems that patches are readily available to secure vulnerable systems. With all of these patches in place, it is nearly impossible for NIMDA to gain a foothold. The bad news is the need to download the majority of these patches. Systems which are connected to the Internet to download the patches are vulnerable to infection if the patches aren’t already installed. You can quickly find yourself in a Catch-22 situation!

Stop NIMDA before it happens!
If you can gather all of the patches that you need before you begin reinstallation of the operating system (which is recommended), you should get everything running and patched before connecting to any network (either the local network or the Internet). However, I have found this is rarely possible. 

The best solution that I have come across requires only two pieces of software:  the original manufacturer’s installation discs and the Microsoft Security Tool Kit. You can visit Microsoft's Security site  to get a copy of the tool kit.

In my experience, loading the operating system, and then loading the patches found on the tool kit, will secure your system well enough to connect to the Internet and download the remainder of the required service packs and patches. Just remember, there are good reasons for all of these security related service packs — so leave no patch uninstalled, or you may end up spending a good amount of time watching those annoying installation progress bars as you try to safely recover from NIMDA once again!