/ 19 September 2001

Virulent Nimda worm spreads like wildfire

DUNCAN MARTELL AND REED STEVENSON, San Francisco, Tokyo | Wednesday

A DAMAGING new computer worm was spreading like wildfire across the Internet on Wednesday, hitting both home users and businesses in an outbreak that could prove more widespread and costly than the Code Red viruses, computer security experts said.

Known as ”Nimda”, which spells admin backward, the worm spreads by sending infected e-mails and through affected Web sites, making it a more malicious and versatile virus than earlier Internet threats, experts said.

The mass-mailing worm arrives in e-mail without a subject line and containing an attachment titled ”readme.exe” that is disguised as a harmless audio file, experts said.

It first appeared in the United States on Tuesday and was spreading rapidly in Japan and the rest of Asia.

The worm had not significantly slowed overall traffic on the Internet, although some corporate networks were bogged down, analysts said.

”Nimda infection on Web sites is spreading rapidly,” said a representative for Trend Micro, a leading US-Japanese anti-virus software maker, adding that one aspect of Nimda’s versatility was its ability to modify Web sites so they carry files that can spread via downloads.

A representative from the government-sponsored Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) said on Wednesday it had received five reports of infections.

It did not identify the organisations involved.

”It’s spreading at an alarming speed and it’s definitely high-risk,” said Patrick Lee of HKCERT.

Japanese online magazine Scan Security Wire said numerous Web sites had been infected this way, including that of Microsoft Corp’s Japanese unit. In the United States, about 130 000 Web servers and personal computers appeared to be infected with it as of Tuesday afternoon, said David Moore, senior researcher at Cooperative Association for Internet Data Analysis at UC San Diego’s Supercomputer Center. There were no immediate reports that the worm were spreading into Africa.

Internet security experts had warned of the potential for an increase in virus activity after last week’s attacks on the World Trade Center and Pentagon, but US Attorney General John Ashcroft said there was no sign of a link to those events.

”There is no evidence at this time which links this infection to the terrorist attacks of last week,” Ashcroft said.

Ashcroft said Nimda could prove ”heavier” than the Code Red worm that caused an estimated $2,6-billion in clean-up costs after outbreaks in July and August.

The origin of the virus was not clear and experts said it could take weeks before that would be known.

In addition to spreading via e-mail, like the fast-spreading Melissa virus, Nimda also has the potential to generate so much Internet traffic that it slows networks. That makes it like the Code Red worm.

”This one is the Swiss Army knife of worms,” said Dan Ingevaldson, who heads the security threat search arm of Internet Security Systems Inc, an Atlanta-based network security consultancy and software firm.

”It really seems to try everything.”

Nimda does not appear capable of erasing files or data but has shown itself capable of slowing down computer operations as it replicates, experts said.

”It seems to be very widespread and (moves) at an incredibly quick rate,” said Graham Cluley, senior technical consultant for Sophos Antivirus.

Nimda exploits an already detected vulnerability in Microsoft’s Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited, experts said.

Once Nimda infects a machine, it tries to replicate in three ways, said Vincent Weafer, senior director of Symantec Corp’s Symantec Security Response unit.

It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs.

It also scans IIS servers looking for the known vulnerability and attacks those servers.

Finally, it looks for shared disk drives and tries to reach those devices. – Reuters

18