W32.Nimba.A Worm Creating Internet Slowdowns
Notice —Sept. 18 '01

Starting around 9:00 AM this morning, September 18th, a new worm, "W32.Nimbda.A," began propagating across the Internet creating congestion and sluggish performance. A worm is similar to a self-propagating virus.

The worm in question is propagating both through email and by exploiting security holes in computers running Microsoft's IIS software. The worm itself is a file called README.EXE, or ADMIN.DLL. Customers should avoid opening any email attachments with these names, or any other unexpected attachments. Customers running IIS should ensure that they have all of the latest security patches installed.

Nimda causes Internet sluggishness when it floods servers with Denial Of Service attacks. Locally, the worm's action seems to be affecting our web server, resulting in slower than usual performance. It may also be affecting transit, resulting in temporary, transient bottle necks. Our engineers are working to mitigate any local effects.

This worm's effect on the Internet at large means customers may find performance to given sites to be slow at times.

UPDATE   September 20

As many of you are aware, a new Internet worm named NIMDA began propagating on Tuesday, September 18th.It has been infecting computers both on the web and through email and has caused a number of problems in addition to congestion on the Internet. Please be sure your virus protection software has the most recent update, as of Wednesday 9/19, to assure that you do not get the worm. Microsoft has information on their website listed under 'new worm virus' with instructions for both protecting yourself and for eliminating the worm (www.microsoft.com).

Our servers are free of the worm, but we have experienced problems as some customers' computers became infected. On Tuesday our web server became very sluggish as it experienced extremely high traffic from the worm's repeated unsucessful attempts to gain access. By Tuesday evening, we were forced to temporarily stop retaining weblogs on our virtual web server; the magnitude of the error logs created by the worm's unsuccessful attempts to gain access consumed our storage. We have resumed weblogs as of this morning, but cannot be certain that we can maintain them in the wake of continued errors.

What this means in plain English is that the worm's activity has slowed things down. Our virtual web customers will be missing a little over a day of statistics (you probably would have seen mostly error logs that day anyway), and we encourage you to protect your computer. We have also heard from a few customers experiencing frequent disconnects beginning Tuesday which has been attributed to an infection by Nimda. Once again, anti-virus software should detect the worm.

We have also experienced much higher than normal customer demand for access lines resulting in intermittent busy signals throughout the state. It is our practice to closely monitor our usage patterns so we can order new lines before our customers ever hear a busy signal. This spike in usage was so sudden that we could only react. New lines are being rushed, but we have to ask that you be patient for a few days.

The Symantec Anti-Virus site has extensive information, http://securityresponse.symantec.com/,
as do the CERT site, http://www.cert.org/, and the McAfee site, http://mcafee.com/.