Nimda strikes campus
September 27, 2001
The destructive Nimda computer virus swept across the Internet last week, infecting systems in Ames and around the world.
WOI Radio Group’s Web site, www.woi.org, was out of service for three days last week after the Nimda virus infected its server, Lighthouse International of Des Moines.
“We were virtually invisible,” said William McGinley, general manager of WOI Radio Group.
McGinley said WOI’s Web site was attacked between 8 a.m. and 9 a.m. Tuesday, Sept. 18. Users were unable to access the site until service was restored Friday morning.
“During the last couple of weeks with the recent tragedies, [the number of] people accessing the WOI site has doubled,” McGinley said.
He said the Nimda virus was especially frustrating, because so many people couldn’t retrieve news from WOI’s Web site after the national tragedy.
McGinley credits WOI’s server for returning service to the site so quickly.
“Lighthouse International went into literally 24-hour work mode to rebuild their servers,” he said.
The Nimda worm is considered especially dangerous, because it uses multiple means of attack. Guy Helmer, ISU temporary assistant computer science professor, said there are three main methods Nimda used to infect other machines.
The virus attacked vulnerable Microsoft IIS and PWS Web servers using “Unicode” and “escaped” character encodings, said Helmer, senior software engineer at Palisade Systems. These specialized attacks allowed Nimda to run random programs on unpatched or improperly patched servers.
“[Nimda] is unusual in that it tries 16 different ways to exploit this problem,” he said.
Nimda also infects Web pages on an infected IIS web server. When someone browses pages on that server, the worm is downloaded and executed.
Helmer said a third way Nimda spread was by infecting a computer running the Microsoft Outlook program. The virus mailed itself as the attachment “README.EXE” to people listed in Outlook’s address book.
“If a recipient of the e-mail message is also running Microsoft Outlook or Outlook Express and either reads the message or allows it to display in the preview pane, the worm will infect the computer,” Helmer said.
Viruses such as Nimda are forcing system administrators at major universities to take steps to improve the security of their systems he said.
“Security is a process, not a product,” Helmer said, “and it takes regular maintenance to keep a network-connected system secure.”
Several campus computers were affected by Nimda outbreaks, said Mike Bowman, assistant director of computer security at Durham Center, but most of the damage was minor.
Bowman said the Solution Center at Durham has received phone calls from ISU students who own computers that were infected by the Nimda bug.
The Solution Center offers assistance to students who need help removing the Nimda virus, by calling 296-6000.
Bowman advised students to install current anti-virus software on their computers to prevent future infections from viruses such as Nimda.
“Viruses in general are going to continue to expand,” Bowman said. “Keeping up-to-date anti-virus software on a machine reduces the amount of problems,” he said.