Virulent Nimda Computer Worm Hits Worldwide By Duncan Martell

SAN FRANCISCO (Reuters) - A damaging new computer worm was spreading like wildfire across the Internet on Tuesday, hitting both home PC users and commercial servers, in an outbreak that could prove more widespread and costly than the Code Red viruses, computer security experts said.

Known as ``Nimda,'' which spells admin backward, the worm spreads by sending infected e-mails and through infected Web sites, making it a more malicious and versatile virus than earlier Internet threats, experts said.

The mass-mailing worm arrives in e-mail without a subject line and containing an attachment titled ``readme.exe'' that is disguised as a harmless audio file, experts said.

As of late Tuesday afternoon, the worm had not significantly slowed overall traffic on the Internet, although some corporate networks had bogged down, analysts said. Nimda was first noticed in widespread circulation on Tuesday morning and fanned out to Fortune 500 companies and public agencies through the day.

About 130,000 Web servers and personal computers appeared to be infected with Nimda as of Tuesday afternoon, said David Moore, senior researcher at Cooperative Association for Internet Data Analysis at UC San Diego's Supercomputer Center.

Internet security experts had warned of the potential for an increase in virus activity after last week's attacks on the World Trade Center and Pentagon (news - web sites), but U.S. Attorney General John Ashcroft (news - web sites) said there was no sign the outbreak was linked to those events. ``There is no evidence at this time which links this infection to the terrorist attacks of last week,'' Ashcroft told a news briefing.

Ashcroft said Nimda could prove ``heavier'' than the Code Red worm that caused an estimated $2.6 billion in clean-up costs after outbreaks in July and August.

The government agency National Infrastructure Protection Center on Monday issued an advisory saying it expects an increase in virus and worm attacks. On Sept. 12, a group of hackers calling itself ``Dispatchers'' predicted they would step up hacking activities on Tuesday, the NIPC said.

``Compared to Code Red, it may well be bigger simply because it can affect home users as well,'' said Graham Cluley, senior technical consultant for Sophos Antivirus.

The origin of the virus was not clear and experts said it could take weeks before that would be known.

'SWISS ARMY KNIFE OF WORMS'

``Based on personal experience and talking to 50 or so people on the Internet and customers, we're only seeing a minimal slowdown in network traffic right now,'' said Jim Jones, director of analysis and reporting for New York-based Predictive Systems.

In addition to spreading via e-mail, like the fast-spreading Melissa virus, Nimda also has the potential to generate so much Internet traffic that that it slows networks, like the Code Red worm.

``This one is the Swiss Army knife of worms,'' said Dan Ingevaldson, who heads the security threat search arm of Internet Security Systems Inc., an Atlanta-based network security consultancy and software firm. ``It really seems to try everything.''

If Microsoft Corp.'s (Nasdaq:MSFT - news) Outlook e-mail program has not been patched with an update that became available in March, the recipient does not need to open the email attachment to activate the virus. Opening the e-mail itself is sufficient, said Vincent Weafer, senior director of Symantec Corp.'s (Nasdaq:SYMC - news) Symantec Security Response unit.

The worm will then send copies of itself to all the e-mail addresses in the infected users' address books, analysts said.

Other e-mail programs, such as Eudora or International Business Machine Corp.'s (NYSE:IBM - news) Lotus Notes, require the attachment to be opened for the virus to replicate, he said.

To protect against infection, experts urged home PC users to set their browsers for the highest level of security when surfing the Internet to prevent their PCs from being infected.

``At the core, it is really a cocktail of a virus plus a Trojan (horse program) plus a worm,'' said Arvind Narain, senior vice president of Internet Services for anti-virus company Network Associates Inc. (Nasdaq:NETA - news).

NO DATA DESTRUCTION

Nimda does not appear capable of erasing files or data, but has shown itself capable of slowing down computer operations as it replicates, experts said.

The worm had appeared in the United States, Europe and Latin America on Tuesday and was likely to spread elsewhere, analysts said. ``It seems to be very widespread and (moves) at an incredibly quick rate,'' Cluley said.

Nimda exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited, experts said.

Once Nimda infects a machine, it tries to replicate in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers. Finally, it looks for shared disk drives and tries to reach those devices, Symantec's Weafer said.

The California agency that controls most of the state's power grid said that its office had been infected by a form of the Nimda worm, but that no critical operations were affected.

``The systems which run the grid and the market are totally different, and are completely unaffected,'' said Stephanie McCorkle, a spokeswoman for the California Independent System Operator (news - web sites) (ISO).

Experts urged companies and users to update anti-virus software and to download available software patches.

Patches are available for both the IIS vulnerability and Web browsers at (http://www.microsoft.com/security). The major anti-virus software companies updated their products to detect the Nimda worm on Tuesday and made new versions of their programs available to customers on their Web sites.

-- (headsup@heads.up), September 18, 2001

Answers

Windows users who are running Internet Explorer 5.01 Service Pack 1, or IE 5.5 Service Pack 1, should download and install the patch available at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

if they haven't already.

This fix is already included in Internet Explorer 5.01 Service Pack 2 and IE 5.5 Service Pack 2. Presumably they've fixed this vulnerability in IE 6 too, though it doesn't really say at that site.

-- Chicken Little (panic@forthebirds.net), September 19, 2001.