Nimda Worm Running Rampant on Web

The anticipated follow-up to the Code Red worm attacks got under way Tuesday with a far-reaching outbreak of W32.Nimda infestations. The aggressive worm, which seeks 16 vulnerabilities in Microsoft Corp.s IIS software, is thought to have infected thousands to tens of thousands of Web servers and slowed Internet traffic for many more, according to security experts.

The massive spread of Nimda came as the FBI issued renewed warnings about cyber-terrorism in the wake of last weeks attacks on New York and Washington. Officials at the FBIs NPIC (National Infrastructure Protection Center) said Tuesday that a group of hackers calling themselves The Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. According to the FBI, The Dispatchers claimed to be targeting communications and finance.

"There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place," NPIC officials said in a statement. "The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties."

An FBI spokesman declined to connect the Dispatchers warning with the Nimda outbreak.

W32.Nimda. is a double-threat, operating as a hybrid between a virus and a worm. Like Code Red, it attempts to take over IIS systems by utilizing known security holes in the Web server. However, while Code Red used only one security hole, W32.Nimda makes over 16 attempts on a system trying different exploits and in one server log eWEEK Labs saw it appear to try over 20 GET attempts on a server it was attacking.

The program is also spreading itself through e-mail through an attachment called readme.exe. If an Outlook client is not set to high security settings the virus can spread itself using the Outlook clients address book. Filtering out .exe files at the mail server should prevent the spread of W32.Nimda in this manner.

Probably the most unique way in which W32.Nimda spreads itself is through the Web server of an infected system. Once W32.Nimda infects an IIS system, it downloads a dll and gains administrative access. Compromised servers may then display a Web page prompting a visitor to download an Outlook file that contains the worm as an attachment, according to Eric Chien, program manager at Symantec Corp. in Cupertino, Calif. According to an alert on, reports are that Internet Explorer 5.x will automatically execute the file, which is called readme.eml.

Nimda also uses the traditional method of propagating through network shares. It looks for shares that allow access to the Guest account with no password required.