BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh
BBCi CATEGORIES   TV   RADIO   COMMUNICATE   WHERE I LIVE   INDEX    SEARCH 

BBC NEWS
 You are in: Sci/Tech
Front Page 
World 
UK 
UK Politics 
Business 
Sci/Tech 
Health 
Education 
Entertainment 
Talking Point 
In Depth 
AudioVideo 


Commonwealth Games 2002

BBC Sport

BBC Weather

SERVICES 
Wednesday, 19 September, 2001, 13:58 GMT 14:58 UK
Q&A: The Nimda virus



What is Nimda?

It is a malicious program or virus that uses many different methods to spread itself around the internet using the weaknesses of Microsoft Windows.

It can affect machines running Microsoft Windows 95, 98, Me, 2000 and NT.

It is properly called a worm because it can spread without piggybacking on other programs. Nimda rolls together many of the techniques that other viruses, such as Sircam and Code Red, used to travel around the web.

How does it spread?

The virus uses several tricks to infect machines and travel around the net, some of which are detailed below.

It can travel as an e-mail message with two parts. The first section is a message that looks blank, the second section is an attachment that carries the virus.

The subject line of infected text messages changes but is usually over 80 characters long.

Infected machines send copies of the virus to the names it scavenges from Outlook address books. Nimda also makes changes to many web content files it finds on infected PCs, so anyone else looking at those pages also downloads a copy of the worm. It also puts copies in all shared directories so anyone else using that system could become infected.

Infected PCs are also turned into scanning systems that look for web servers running vulnerable versions of Microsoft's Internet Information Server (IIS). A copy of the virus is transferred to the machine which then starts scanning machines that share the same section of net, to see if they too are vulnerable.

It also puts copies of itself in all directories it can find. This means that anyone browsing information on that server could be infected.

In a new twist the virus can also be passed on to machines that browse webpages created by an infected server. Certain versions of Internet Explorer can be made to run tasks without the knowledge or consent of a user. Nimda exploits this ability to install a copy of itself. Versions 5.01 and 5.5 of IE that do not have the Service Pack 2 installed are vulnerable.

What damage does it do?

Thankfully the Nimda Windows worm does not do any direct damage to the machines it has compromised. However, it could clog mail servers with the sheer volume of infected messages that it generates, and slow down the networks any infected machines are attached to because it aggressively looks for vulnerable machines.

System administrators could have problems freeing their machines from infection because Nimda creates so many copies of itself. It also makes changes to key Windows programs that can be tricky to clean up.

Is it widespread?

Some anti-virus companies are reporting that other viruses, such as Sircam, are currently being found in larger numbers than Nimda. This could be because Nimda has so many ways to propagate that it doesn't have to rely on e-mail - before now one of the best ways to judge the virulence of a virus.

However, the numbers of Nimda viruses being sent as e-mail attachments may not give a true picture of its virulence. The virus favours copying itself to machines on networks close to those it has infected and its worst effects are likely to be the amount of net traffic, rather than e-mail, it generates.

What can I do about it?

If you receive a blank e-mail message with a long, strange sounding subject line and an attachment from someone who doesn't usually send you attachments then it might well be a copy of the virus. Delete it immediately.

If you use Outlook in Windows 98 and 2000 make sure you install the security patch from Microsoft. Use an anti-virus scanner, keep it updated and perform regular checks on your machine to ensure it is infection free.

If you have been infected use programs created by anti-virus companies such as Symantec, Sophos, McAfee and Kaspersky Labs to remove the malicious program.

See also:

19 Sep 01 | Sci/Tech
Nimda virus loose online
20 Jul 01 | Sci/Tech
White House dodges web virus
02 Aug 01 | Sci/Tech
Code Red 'was never a threat'
Internet links:


The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.


E-mail this story to a friend

Links to more Sci/Tech stories