Log in ....Tribune

Dot.ComLatest in ITFree DownloadsOn hardware

Monday, September 24, 2001

After Code Red, Nimda gives nightmares
Bernhard Warner

A fast-spreading computer worm has corrupted corporate computer networks and personal computers in an outbreak that could be more widespread and damaging than the Code Red infections, computer security experts said.

U.S. Attorney General John Ashcroft speaks to the press at the FBI building in Washington Ashcroft introduced the new interim rules on custody procedures for the Immigration and Naturalisation Services.
U.S. Attorney General John Ashcroft speaks to the press at the FBI building in Washington Ashcroft introduced the new interim rules on custody procedures for the Immigration and Naturalisation Services. Ashcroft went on to comment that the "Nimda" computer virus was not linked to the recent terrorist attacks on the World Trade Center and the Pentagon.

Known as ‘Nimda’, the word ‘admin’ spelt backwards, the worm first appeared in the USA on Tuesday this week, spread to Asia overnight and thousands of European businesses opened business Wednesday morning with infected computer systems.

Internet security experts had warned of the potential for an increase in virus activity after last week’s attacks on the World Trade Center and Pentagon, but US Attorney General John Ashcroft said there was no sign of a link to those events.

"There is no evidence at this time which links this infection to the terrorist attacks of last week," Ashcroft said.


Ashcroft said Nimda could prove ‘heavier’ than the Code Red worm that caused an estimated $2.6 billion in clean-up costs after outbreaks in July and August.

One victim was German electronics conglomerate Siemens AG. The worm infiltrated part of its computer network, a company spokesman said, forcing the firm to shut down some computer servers and its e-mail system for a few hours.

As of 0930 GMT, the firm had fortified the affected systems. "No concrete damage was found," the spokesman said, adding the disruption had no impact on business operations.

The Nimda worm spreads by sending infected e-mails that carry an attachment labelled "readme.exe". It also propagates by infiltrating unsecured Web sites and attaching itself to an unsuspecting computer user’s Web browser, IT officials said.

Its target is personal computers and Microsoft computer servers, making it a more malicious and versatile strain than earlier Internet threats, experts said.

In Europe, more than 15,000 companies had been infected by Nimda, said Raimond Genes, vice-president of sales and marketing for Trend Micro Inc, a security software firm. "This one is really horrible," he said. "It’s a combined attack."

The affected companies, which he would not name, are located in Germany, the United Kingdom, France, Italy and Switzerland, said Genes.

Graham Cluley, senior technical consultant for Sophos Anti-Virus in Oxford, told Reuters he would not be surprised if hundreds of thousands of users had been affected.

Son of Code Red?

There is evidence that Nimda may be the offspring of Code Red, a worm that ran rampant on the Internet through the latter part of the summer attacking vulnerable computer servers.

Genes said Trend Micro technicians dissected the Nimda worm and found the same computer codes that were used to program four other previous worm outbreaks, including the Code Red infestation from earlier in the summer.

"We think it’s the same person or group who wrote the Code Red Trojan," Genes said. He added a statement in the code reading ‘Version 5’ bears this out.

Other security experts rejected the theory, saying sophisticated copycat hackers could have manipulated older worm programs to create Nimda.

They all agree it will be difficult to track the offender. Cluley said a statement in the Nimda code reading "copyright Republic of China" could be a red herring.

Triggered in the US

It first appeared in the USA on Tuesday last week and was spreading rapidly in Japan and the rest of Asia. Infections were reported in Japan, Hong Kong, Taiwan, South Korea, Singapore and China.

The worm had not significantly slowed overall traffic on the Internet, although, like Code Red, some corporate networks were bogged down. One aspect of Nimda’s versatility was its ability to modify Web sites to carry files that can spread via downloads, analysts said.

Unlike Code Red, the worm can infiltrate a corporate network and create a user account with unlimited access to files and e-mail. "It can even send e-mails in your name," said Cluley.

Japanese online magazine "Scan Security Wire" said numerous Web sites had been infected this way, including that of Microsoft Corp’s Japanese unit.

In the USA, about 1,30,000 Web servers and personal computers appeared to be infected with it as on Tuesday afternoon, David Moore, senior researcher at Cooperative Association for Internet Data Analysis at UC San Diego’s Supercomputer Center said.

Nimda exploits an already detected vulnerability in Microsoft’s Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited. This time though, expert say, it seeks to infiltrate a server by identifying one of 16 vulnerable access points.

Once Nimda infects a machine, it tries to replicate in three ways, said Vincent Weafer, senior director of Symantec Corp’s Symantec Security Response unit.

It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers.

Finally, it looks for shared disk drives and tries to reach those devices.