Nimda will be with us for a long time, it appears. The Nimda virus continues to run rampant on the Internet, and now it's not just IIS servers spreading the virus. In fact, according to Pat Nolan from StormRanger Computer Security, network administrators report that Nimda infections didn't spread through IIS servers or email, but through browsers. Microsoft and other companies haven't published specific information documenting the problem's correction and prevention, but Nolan provided some information for Microsoft Internet Explorer (IE). To protect against a network user inadvertently getting or passing Nimda within a network, you must disable Java or Downloads in all "Internet, Trusted, Intranet, and Restricted" Security Zones. You should also place email in the Restricted Sites Security Zone with "everything" disabled. According to Microsoft, IE won't always execute the attachment—it only executes the attachment if File Downloads are enabled in the opened email's Security Zone. However, IE enables File Downloads in all zones by default.
In more specific terms, Nolan summarizes that, by default, IE executes the virus through email (except in Microsoft Outlook and Outlook Express 6.x) or from a Nimda-infected Web site—even if the Web server has the patch installed. The default IE Security Zone settings are the "virtual click" that lets the Java script run and downloads the file without explicit user permission.
Nolan recommends these Microsoft Web Resources for Nimda prevention and IE security administration:
- The Microsoft article "Information on the 'Nimda' Worm" provides Nimda information and actions for end users and network and IIS administrators.
- MS01-020 (Incorrect MIME Header Can Cause IE to Execute E-Mail Attachment) discusses how IE executes email attachments.
- The Microsoft Product Support Services article "How to Configure Internet Explorer 5.x to Block Access to All But Approved Internet Sites" tells you how to use IE's Content Advisor to block access to Web sites.
- Check out the StormRanger site for more information about the effects of the Nimda virus and how to secure your computers.
On a similar note, reader Julian Kuiters pointed out three simple recommendations that many IIS administrators don't know about or disregard until a virus appears.
- The Microsoft Security Notification Service alerts IIS administrators to all security updates that Microsoft issues immediately after they become available. You can subscribe to the service from the Microsoft Security Web site.
- The IIS Lockdown Tool secures an IIS server by automatically removing the default script mappings and sample applications. The tool even sets the file permissions on folders. You can download the IIS Lockdown Tool from Microsoft's Web site.
- The Network Security Hotfix Checker (Hfnetchk.exe) checks your IIS server for all available hotfixes and updates. Because the tool leverages the Windows Management Instrumentation (WMI) provider, it even checks machines remotely. Hfnetchk verifies that hotfixes are correctly installed by checking the registry and the physical files. The tool's options let you know what hotfixes have already been applied and what cumulative patches you can use to bring the machine up to date. The tool even has the capability to scan your entire network by IP address or Active Directory (AD) for computers. You'll find the Network Hotfix Tool on Microsoft's Web site.