Multi-Fanged Worm Starts Global Attack
New mass-mailing worm starts sophisticated attack on PCs and servers worldwide.Frank Thorsberg, PCWorld.com
A new "super worm" called Nimda that has improved on the threats from predecessors such as Code Red and Sircam has been detected spreading quickly to tens of thousands of computers around the world and infecting PCs in multiple ways.
The mass-mailing style worm is particularly dangerous because it spreads not only through e-mail, but also via Web pages and across shared disks on networks. Some users of both Microsoft Outlook and Outlook Express might become infected simply by clicking on an infected e-mail message--you don't necessarily have to open the infected attachment. E-mail bearing Nimda may arrive with a blank subject line and nothing visible in the body of the message.
"This is a new, fast-spreading Internet worm that has been seen spreading in the wild," says Steven Sundermeier, product manager at Central Command. "It's very complex, more dangerous, with lots more potential (than Code Red). It's like a super Code Red plus a super Sircam combined."
The worm had affected "tens of thousands" of computers by late Tuesday, according to CERT/CC, the Computer Emergency Response Team Coordination Center at Pittsburgh's Carnegie Mellon University. The center reports receiving a steady stream of reports about Nimda, which it says affected tens of thousands of computers by late Tuesday.
Damage Undetermined
Most virus-protection programs will stop the worm from spreading to your PC. Of course, you should make sure you have an updated version of that software, with the latest virus data files. Also, treat any suspicious e-mail with great care and scan attachments for viruses before opening them.
And here's more good news: Even if the worm hits your PC, it doesn't appear to do any serious damage.
"Based on our current analysis, there does not appear to be any overly malicious payload. Nothing like removing files or anything like that." says Chad Dougherty, Internet security analyst with CERT/CC. "Currently, the only functions it undertakes are what it needs to propagate."
The FBI does not believe the worm is related to last week's terrorist attacks in New York and Washington, D.C., according to a statement by Attorney General John Ashcroft. There was some initial speculation that the worm was related to the attacks, because Tuesday is the one-week anniversary of the attacks.
Nonetheless, Nimda is spreading quickly, exploiting known weaknesses. Servers that were hit by Code Red could be especially vulnerable because that worm created openings for future exploitation, Dougherty says.
"It's the combination that makes this one particularly unique," Dougherty adds. "The fact that it's using several different methods of attack makes it different from Code Red and some of the others."
Several computer security organizations, including the CERT/CC and Incidents.org had issues alerts about increased activity on the Internet, which may be related to the new worm.
Inoculations Available
Nimda, which is "admin" spelled backwards, is also called W32.Nimda.A@mm. It arrives in your e-mail box as a readme.exe attachment. The worm, which is about 57K in size, exploits a known vulnerability in the Outlook software, Sundermeier says.
"The exploit will execute the virus when the user views the message," he says.
The readme.exe file has a malformed header, which makes the computer think it is a.wav, or sound file, says Thompson. However, it is really a program that can execute from the preview panel, when users view it without actually opening it.
You can deactivate the preview function easily in Outlook. Go to the View drop-down menu, and click on Preview Pane to deactivate. In Outlook Express, again choose the View menu, and choose Layout. This brings up a dialog box--choose Show Preview Pane and click to remove the checkbox, which grays out the options and deactivates the preview pane.
Depending on the environment, this new worm may have as many as 16 means of spreading itself, according to Sam Curry, a security architect with antivirus product vendor McAfee.com.
For example, it can lure Web surfers to download an infected file from a Web site with pages that have been compromised by the worm, Curry warns.
"You could get it by surfing the Web, but not by just going to a page. You have to engage with the page," he says. "Web sites are defaced and the manner of that defacement tries to encourage visitors to download a file."
Under Scrutiny
The multifaceted worm was detected Tuesday morning. Its complexities are still being unraveled by experts at antivirus companies, including McAfee and Symantec, which have detailed information about prevention and cures on their Web sites.
"It took the best of various viruses which have been effective in their own niches and combined into one overwhelming one," Sundermeier says. "It's very complex and now, even hours later, vendors are scrambling to make a full analysis."
Microsoft is also evaluating the worm, to develop an Outlook patch, if necessary.
"We are working closely with the antivirus community and will have updated virus scanners shortly," Microsoft says in a statement. The company has posted more information on its Web site.
"(Nimda) is certainly much faster, much more aggressive, and much bigger" than Code Red, according to Roger Thompson, technical director of malicious code at TruSecure. The Code Red worm caused headaches for systems administrators worldwide earlier this year.
Sundermeir says the worm uses Mailing API functions to read users' e-mails from which it extracts Simple Mail Transfer Protocol addresses and e-mail addresses and sends itself to these addresses. He says Nimda also spreads by using the Unicode Web Traversal exploit in a manner similar to the Code Blue Internet worm, which was discovered on September 7.
The Nimda worm can also propagate through a local area network. The virus activates the "guest" user account, which has no password, and adds itself to the Administrator group. It also creates a share for C:\ with all access rights.
PC World Contributing Editor Stuart J. Johnston assisted with this report.