Nimda computer worm hits worldwide

1.30 pm

SAN FRANCISCO - A new computer worm is spreading across the internet, hitting both home PC users and commercial servers, in an outbreak that could prove more widespread than the Code Red viruses, computer security experts said.

Known as "Nimda" (admin spelled backward), the worm spreads by sending infected e-mails and by infecting websites that use Microsoft web server software, making it a more versatile virus than earlier internet threats, experts said. (nzherald.co.nz does not use Microsoft web server software.)

The mass-mailing worm arrives in e-mail without a subject line and containing an attachment titled "readme.exe" that is disguised as a harmless audio file, experts said.

The worm has not significantly slowed overall traffic on the internet, although some corporate networks have bogged down, analysts say. Nimda was first noticed in widespread circulation on early this morning and fanned out to Fortune 500 companies and public agencies through the day.

About 130,000 web servers and personal computers now appeared to be infected with Nimda, said David Moore, senior researcher at Cooperative Association for Internet Data Analysis at UC San Diego's Supercomputer Center.

Internet security experts had warned of the potential for an increase in virus activity after last week's attacks on the World Trade Center and Pentagon, but US Attorney General John Ashcroft said there was no sign the outbreak was linked to those events. "There is no evidence at this time which links this infection to the terrorist attacks of last week," Ashcroft told a news briefing.

Ashcroft said Nimda could prove "heavier" than the Code Red worm that caused an estimated $US2.6 billion in clean-up costs after outbreaks in July and August.

The government agency National Infrastructure Protection Center on Monday issued an advisory saying it expects an increase in virus and worm attacks. On Sept. 12, a group of hackers calling itself "Dispatchers" predicted they would step up hacking activities today, the NIPC said.

"Compared to Code Red, it may well be bigger simply because it can affect home users as well," said Graham Cluley, senior technical consultant for Sophos Antivirus.

The origin of the virus was not clear and experts said it could take weeks before that would be known.

"Based on personal experience and talking to 50 or so people on the internet and customers, we're only seeing a minimal slowdown in network traffic right now," said Jim Jones, director of analysis and reporting for New York-based Predictive Systems.

In addition to spreading via e-mail, like the fast-spreading Melissa virus, Nimda also has the potential to generate so much internet traffic that that it slows networks, like the Code Red worm.

"This one is the Swiss Army knife of worms," said Dan Ingevaldson, who heads the security threat search arm of Internet Security Systems Inc., an Atlanta-based network security consultancy and software firm. "It really seems to try everything."

If Microsoft Corp.'s Outlook e-mail program has not been patched with an update that became available in March, the recipient does not need to open the email attachment to activate the virus. Opening the e-mail itself is sufficient, said Vincent Weafer, senior director of Symantec Corp.'s Symantec Security Response unit.

The worm will then send copies of itself to all the e-mail addresses in the infected users' address books, analysts said.

Other e-mail programs, such as Eudora or International Business Machine Corp.'s Lotus Notes, require the attachment to be opened for the virus to replicate, he said.

To protect against infection, experts urged home PC users to set their browsers for the highest level of security when surfing the internet to prevent their PCs from being infected.

"At the core, it is really a cocktail of a virus plus a Trojan (horse program) plus a worm," said Arvind Narain, senior vice president of Internet Services for anti-virus company Network Associates Inc.

Nimda does not appear capable of erasing files or data, but has shown itself capable of slowing down computer operations as it replicates, experts said.

The worm had appeared in the United States, Europe and Latin America on Tuesday and was likely to spread elsewhere, analysts said. "It seems to be very widespread and (moves) at an incredibly quick rate," Cluley said.

Nimda exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited, experts said.

Once Nimda infects a machine, it tries to replicate in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers. Finally, it looks for shared disk drives and tries to reach those devices, Symantec's Weafer said.

Experts urged companies and users to update anti-virus software and to download available software patches.

Patches are available for both the IIS vulnerability and web browsers at www.microsoft.com/security. The major anti-virus software companies updated their products to detect the Nimda worm today and made new versions of their programs available to customers on their websites.

- REUTERS

Virus details from Symantec