Enterprises Still Reeling From Nimda

Although the spread of the Nimda worm seems to be slowing, some companies and service providers are still crippled by the damage the virus wrought last week.

Customers of broadband provider XO Communications Inc., of Reston, Va., say that they have been unable to access pages in their private domains for nearly a week thanks to several Nimda-infected servers at XO.

One customer, who asked to remain anonymous, said his domain has been virtually unreachable since Sept. 18 and that he has been in contact with XO several times, but the company said it has no estimate of when his service might be restored.

“They told me the infected servers were rebooted and put back online, but they keep getting reinfected,” the customer said. “I was able to get onto my site once and look at my code, and it was mixed with all of this code from the virus that was launching pop-up windows. Its been a crazy mess. Theyre in big trouble and dont know what to do.”

An XO spokeswoman acknowledged that the company had been hit by Nimda and said that some of the filters it put in place were stopping legitimate traffic as well as Nimda infection attempts.

The worm, which may have infected as many as 200,000 machines, spreads via several methods, including e-mail and specially coded Web pages. Nimda also exploits several known flaws in Microsoft Corp.s popular IIS Web server software, as did the family of Code Red worms before it.

Once it infects a machine, the worm makes several changes to the registry, adds some files and infects others.

Nimda spread quickly last week, infecting computers all over the world, but the main concentration of infections was in the United States. However, the infection rate seems to have dropped significantly since then, and it isnt even in the top 10 most active viruses any longer, according to anti-virus company MessageLabs Ltd., based in Gloucester, England.