goto UNSW home page
CONTACTS
School of Physics > Physics IT Support > Notices > Nimbda worm
Notices
 IT Notices forums
 Security: AL-2005.0043 [Win]
 Magellan disk corruption
 Power shutdown July 6 2005
 Magellan new disk rollout
 Newt RAID5 rollout
 Telnet and FTP service
 Mimail.D virus
 Sobig.E virus
 Newt replacement
 Bugbear worm
 W32/klez
 Nimda worm

Help
 Physics Mail
 Secure Shell
 Cygwin X11 Server
 Paper guidelines
 Helpdesk
 Request help
 Contact us

Downloads
 Software
 Account application PDF
 Useful mirrors

Network connection
 Network Access Request
 Network settings

Info exchange
 Physics e-mail lists
 School forums
 Computing forum

Documentation
 Workstation Guide HTML/PDF
 PDF Scanning
 Computing Facilities
 Workstation Software
 UN*X Security Guide
 Multimedia Facility
 CD creation quick guide
 OCR quick guide
 C Language Course Notes
 DEC F77 guide
 Proxy information

Quicklinks
 Physics IT Support
 School of Physics
 Linux links
 AARnet Mirror
 Web design
 Web statistics

Nimbda worm

There has recently been publicity concerning Nimda, another mass mailing worm that affects Microsoft products. Below are details of the virus and what to do about it.

Shortcuts

Action to take

  • Don't run MS IIS (Microsoft Internet Information Services). If you absolutely must, be sure to visit http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
  • If you run Internet Explorer 5.01 (5.01 Service Pack 2 is not vulnerable and you need not apply any patches) or 5.5 visit http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. If you run a version of IE prior to 5.01, Microsoft does not guarantee that you are not vulnerable.
  • If you are are using a version of Command AntiVirus prior to 4.58.3, download the latest version of Command AntiVirus from the downloads section at http://help.phys.unsw.edu.au/dl/windows.phtml

    To find out which version of Command AntiVirus you have, double click the yellow 'C' icon in the system tray in the bottom right corner of your screen to open the CAV control panel. Choose Help->About. Also check your virus definitions date: if deffiles is dated 09/18/01 or later you can skip the following steps.

  • Press the [Update Deffiles] button in the Command AntiVirus control panel. Note that you should first have followed the directions at http://help.phys.unsw.edu.au/dl/win/deffiles.phtml for this to work. If David or Kristien installed your computer, this would already have been done for you and the Update Deffiles will work without fiddling.
  • Reboot
From ACSU: what to do if infected

Phone your local IT Support person or call the CSC (ACSU) HelpDesk on ext 1333. Do not use your computer until it has been disinfected. Warn people who are in your address book that they may have received an infected email from you and to update their virus definitions and scan their computer.

Other details

Nimda uses the Web Server Folder Traversal exploit to infect IIS servers. To download a patch for this exploit please go to http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

A patch for the MIME exploit which allows the worm to execute can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Technical information regarding Nimda and what it supposedly does can be found at http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Patches/upgrades suggested by Microsoft

Installing any of these patches will remove the Nimda e-mail vulnerability. Choose the patch that best suits your configuration. E-mail help@phys.unsw.edu.au if you are unsure which patch to use.

  CRICOS Provider Code - 00098G Disclaimer
School of Physics - The University of New South Wales - Sydney Australia 2052
Site comments physicsweb@phys.unsw.edu.au © School of Physics UNSW