Nimda takes down New Brunswick government

The latest computer worm, Nimda, squirmed its way into government offices in New Brunswick Tuesday, leaving residents attempting to conduct government business online no choice but to roll back the calendar a few years.

Susan Shalala, a representative from the supply and services department in New Brunswick, started to notice some “abnormal activity” around noon on Tuesday. That activity, it turns out, was a symptom of the original infection Nimda caused in Web host servers.

“That’s why the government Web sites became unavailable to the public,” Shalala said. “It doesn’t completely debilitate the government. The real impact was with the public that wanted online access to the government.”

But the “abnormal activity” in technology brought about another kind of strange activity in government offices. Staff turned off their computers, used pens and typewriters to complete documents and the public started to line up to deal with government issues in person.

After finding that the worm infected various types of servers and personal computers throughout all government departments, IT staff worked into Tuesday evening, searching through the about 10,000 personal work stations and 350 servers to find the source.

“We are back online today, but we are still working on individual desktops,” she said. “We are running virus checks on every machine now.”

Gus Malezis, general manager of the Canadian arm of Network Associates in Markham, Ont., said government staff shouldn’t feel any shame about falling victim to this worm. It is, after all, “an extremely sophisticated bug.”

“This one really goes off the charts in terms of the quality and the skill of whoever created it,” he said. “It spread so quickly because it has four general methods of spreading and across those four methods, it has about 16 vulnerabilities that it looks to. This is extremely unique.”

Malezis said the worm took the most effective elements of a number of past worms and viruses, including Melissa, Code Red and Love Letter, and put them all together into a cocktail. For example, even users not infected by networks or e-mails are still vulnerable by simply looking at a Web site that is infected.

“This thing is just full of tricks,” he said.

It started to impact organizations Monday night, but by Wednesday, the bug was debilitating home computers, he said. What makes Nimda even more malicious is that it doesn’t just debilitate systems, it can open PC hard drives and expose everything in it to anyone on the network.

“Other people can see your stuff, delete stuff, change stuff,” he said. “It isn’t destructive, it just shares.”

Far away from New Brunswick, Nimda was busy striking companies in Japan and Norway. The bug doesn’t seem to be as active in Europe and the Middle East. Tentative reports say the bug may come from the People’s Republic of China.

This isn’t New Brunswick’s first problem with viruses. Both Code Red and Melissa impacted on-line government services in the province, which Shalala said have become “very popular.”

“We are confident that we have good systems in place,” she said, adding that departments are conducting a “post-mortem” of the last few days today.

“A worm like this, well, we just have to learn to deal with it. We dealt with this one successfully because we are up and running a day and a half after it infected us. There are always lessons to be learned with events like this.”

Network Associates Inc. and Trend Micro Inc. on Wednesday joined a growing number of vendors offering utilities designed to help protect businesses from the rapidly spreading Nimda worm.

The Santa Clara, Calif.-based company’s McAfee Avert anti-virus research lab has created an online command-line scanner, known as NimdaScan, which lets users detect, clean, and delete the worm from their systems. It can also scan the core route of an enterprise’s network to clean out infections for users who are unaware as to whether or not they have been infected.

Meanwhile, Trend Micro of Cupertino, Calif. announced on Wednesday a downloadable anti-Nimda utility that promises to restore the integrity of system files, thus repairing any damage that the worm has already created on client machines. Trend Micro recommended that users first scan their systems for the virus by using the company’s HouseCall virus scanner, a free online utility. Furthermore, Trend Micro also released an updated pattern file to remove the worm, which can be downloaded from the company’s Web site.

Other security companies have also risen to the challenge. Symantec, the Cupertino, Calif.-based giant, announced the availability of an online utility that promises to detect the worm and repair system damage in one step. The company is also reportedly working on a separate tool to remove the worm from PC memory.

Microsoft has also posted patches to its web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp