W32/Nimda-A virus can infect users of the Windows 95/98/Me operating systems as well as Windows NT and 2000.

Nimda is an aggressively-spreading, network aware mass mailer, capable of replicating in the following ways:

• client to client via email;
• client to client via open network shares;
• client to Web server via active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
• client to Web server via scanning for the back doors left behind by the "Code Red II" and "sadmind/IIS" worms
• web server to client via browsing of compromised Web sites

Don't Let it Happen Again

Protect the network server - install Entercept 2.0 - it proactively protects critical business servers from illegal or potentially threatening calls to the operating system. Using an extensive intrusion dictionary and an exclusive behavior model, Entercept can identify and stop generic and specific intrusion requests. It gives companies unparalleled protection at the operating system level.

Protect the Web Server - install Entercept Web Server Edition - it proactively prevents intrusions from infecting critical Web servers and their applications. This solution stops both known and unknown attacks and creates a secure environment for your Web servers and applications. It is the ultimate protection for Web servers.

Entercept prevents Directory Traversal attacks, including those used by the Concept / Nimda worm. When the worm attempts to compromise an Entercept-protected Web server, the attack will fail and the server will not be compromised. The following Entercept rules will prevent Concept / Nimda from succeeding:

• IIS Directory Traversal
• IIS Directory Traversal and Code Execution
• IIS Double Hex Encoding Directory Traversal

Entercept also prevents unauthorized changes to Web content, so it prevents the worm from altering Web pages in order to spread itself to other servers.

Entercept, in cooperation with standard security best practices, will protect Web servers against Concept / Nimda. These best practices include not reading email or browsing the Web from a production Web server, as well as not having network shares open on a server. Entercept will prevent the Web server from being compromised via HTTP and IIS exploits. The aforementioned best practices will ensure that this particular worm does not arrive on the Web server by manual means. Entercept recommends that companies maintain their AV software updates in order to address the virus portion of this hybrid threat. Entercept further recommends that companies stay current with their patches, and install Web Server Edition to ensure security from this kind of attack while patches are not yet available or have not been deployed.

Protect the email perimeter - install the email content security filtering tool MIMEsweeper for SMTP. It can be configured for blocking all executables and spam from entering the email network 

Protect the email servers - install the email content security filtering tool SecuriQ for Lotus Notes Domino or Microsoft Exchange Server. It can be configured for blocking all executables and spam from being delivered to a users mailbox

Protect the web client - install Websweeper - it enables customers to implement Content Security policies on Web, HTTP and passive FTP transfers. Acting as a bi-directional tool, WEBsweeper security checks are applied to both downloads from and uploads to the Web.