>
Duncan Martell and Reed Stevenson
SAN FRANCISCO/TOKYO: A damaging new computer worm was spreading like wildfire
across the Internet on Wednesday, hitting both home users and businesses in an
outbreak that could prove more widespread and costly than the Code Red viruses,
computer security experts said.
Known as "Nimda", which spells admin backward, the worm spreads by
sending infected e-mails and through affected Web sites, making it a more
malicious and versatile virus than earlier Internet threats, experts said.
The mass-mailing worm arrives in e-mail without a subject line and containing
an attachment titled "readme.exe" that is disguised as a harmless
audio file, experts said.
It first appeared in the United States on Tuesday and was spreading rapidly
in Japan and the rest of Asia. The worm had not significantly slowed overall
traffic on the Internet, although some corporate networks were bogged down,
analysts said.
"Nimda infection on Web sites is spreading rapidly," said a
spokesperson for Trend Micro, a leading US-Japanese anti-virus software maker,
adding that one aspect of Nimda's versatility was its ability to modify Web
sites so they carry files that can spread via downloads.
A spokesman from the government-sponsored Hong Kong Computer Emergency
Response Team Coordination Centre (HKCERT) told Reuters on Wednesday it had
received five reports of infections.
It did not identify the organizations involved. "It's spreading at an
alarming speed and it's definitely high-risk," said Patrick Lee of HKCERT.
Japanese online magazine "Scan Security Wire" said numerous Web sites
had been infected this way, including that of Microsoft Corp's Japanese unit.
In the United States, about 130,000 Web servers and personal computers
appeared to be infected with it as of Tuesday afternoon, said David Moore,
senior researcher at Cooperative Association for Internet Data Analysis at UC
San Diego's Supercomputer Center.
Internet security experts had warned of the potential for an increase in
virus activity after last week's attacks on the World Trade Center and Pentagon,
but US Attorney General John Ashcroft said there was no sign of a link to those
events.
"There is no evidence at this time which links this infection to the
terrorist attacks of last week," Ashcroft said. Ashcroft said Nimda could
prove "heavier" than the Code Red worm that caused an estimated $2.6
billion in clean-up costs after outbreaks in July and August.
The origin of the virus was not clear and experts said it could take weeks
before that would be known.
'Swiss army knife of worms'
"Based on personal experience and talking to 50 or so people on the
Internet and customers, we're only seeing a minimal slowdown in network traffic
right now," said Jim Jones, director of analysis and reporting for New
York-based Predictive Systems.
In addition to spreading via e-mail, like the fast-spreading Melissa virus,
Nimda also has the potential to generate so much Internet traffic that it slows
networks. That makes it like the Code Red worm.
"This one is the Swiss Army knife of worms," said Dan Ingevaldson,
who heads the security threat search arm of Internet Security Systems Inc, an
Atlanta-based network security consultancy and software firm.
"It really seems to try everything."
Nimda does not appear capable of erasing files or data but has shown itself
capable of slowing down computer operations as it replicates, experts said.
"It seems to be very widespread and (moves) at an incredibly quick
rate," said Graham Cluley, senior technical consultant for Sophos
Antivirus.
Nimda exploits an already detected vulnerability in Microsoft's Internet
Information Server Web software running on Windows NT or 2000 machines, the same
breach that the Code Red viruses exploited, experts said.
Once Nimda infects a machine, it tries to replicate in three ways, said
Vincent Weafer, senior director of Symantec Corp's Symantec Security Response
unit.
It has its own e-mail engine and will try to send itself out using addresses
stored in e-mail programs. It also scans IIS servers looking for the known
vulnerability and attacks those servers. Finally, it looks for shared disk
drives and tries to reach those devices.
(C) Reuters Limited 2001.