Nimda computer worm hits worldwide

SAN FRANCISCO - A new computer worm is spreading across the internet, hitting both home PC users and commercial servers, in an outbreak that could prove more widespread than the Code Red viruses, computer security experts said.

Known as "Nimda" (admin spelled backward), the worm spreads by sending infected e-mails and by infecting websites that use Microsoft web server software, making it a more versatile virus than earlier internet threats, experts said. (nzherald.co.nz does not use Microsoft web server software.)

The mass-mailing worm arrives in e-mail without a subject line and containing an attachment titled "readme.exe" that is disguised as a harmless audio file, experts said.

The worm has not significantly slowed overall traffic on the internet, although some corporate networks have bogged down, analysts say. Nimda was first noticed in widespread circulation on early this morning and fanned out to Fortune 500 companies and public agencies through the day.

About 130,000 web servers and personal computers now appeared to be infected with Nimda, said David Moore, senior researcher at Cooperative Association for Internet Data Analysis at UC San Diego's Supercomputer Center.

"Compared to Code Red, it may well be bigger simply because it can affect home users as well," said Graham Cluley, senior technical consultant for Sophos Antivirus.

The origin of the virus was not clear and experts said it could take weeks before that would be known.

In addition to spreading via e-mail, like the fast-spreading Melissa virus, Nimda also has the potential to generate so much internet traffic that that it slows networks, like the Code Red worm.

If Microsoft Corp.'s Outlook e-mail program has not been patched with an update that became available in March, the recipient does not need to open the email attachment to activate the virus. Opening the e-mail itself is sufficient, said Vincent Weafer, senior director of Symantec Corp.'s Symantec Security Response unit.

The worm will then send copies of itself to all the e-mail addresses in the infected users' address books, analysts said.

Other e-mail programs, such as Eudora or International Business Machine Corp.'s Lotus Notes, require the attachment to be opened for the virus to replicate, he said.

To protect against infection, experts urged home PC users to set their browsers for the highest level of security when surfing the internet to prevent their PCs from being infected.

"At the core, it is really a cocktail of a virus plus a Trojan (horse program) plus a worm," said Arvind Narain, senior vice president of Internet Services for anti-virus company Network Associates Inc.

Nimda does not appear capable of erasing files or data, but has shown itself capable of slowing down computer operations as it replicates, experts said.

Nimda exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited, experts said.

Once Nimda infects a machine, it tries to replicate in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers. Finally, it looks for shared disk drives and tries to reach those devices, Symantec's Weafer said.

Patches are available for both the IIS vulnerability and web browsers at www.microsoft.com/security. The major anti-virus software companies updated their products to detect the Nimda worm today and made new versions of their programs available to customers on their websites.

- REUTERS

Virus details from Symantec