It makes Code Red look pretty in pink. A new worm called Nimda contains so many ways to infect Microsoft Windows-based computers that millions of infections are expected throughout the day.
A security expert from TruSecure, which discovered the worm, says its possible to become infected just by browsing an infected Web site. TruSecure named the worm after the file name that transports it: W32.nimda.a.mm. The worm was discovered around 9 a.m. and complaints about Internet slowdowns have been proliferating since.
“This will definitely be the biggest malicious code event of the year,” said Roger Thompson, TruSecures technical director of malicious code research.
Security experts are still gnawing on the code, but what is known for sure is Nimda is spreading far quicker than Code Red, which infected more than 300,000 Microsoft Web servers in July and August, and has the potential to create far greater damage.
No destructive payload has been discovered yet, but because it is spreading so quickly and has a much larger pool of potential victims, Nimda is creating an ad hoc denial-of-service attack on the Internet. The worm is hogging bandwidth resources and hindering access to thousands of Web sites, said Stefan Savage, co-founder of DoS specialist Asta Networks.
A spokesperson for VeriSign reported a 20 percent increase in Domain Name System traffic this morning, although it hadnt confirmed the source.
E-mail users have been receiving the worm via attachments called “README.EXE,” but a spokesperson from anti-virus company Symantec says Microsoft Outlook users dont need to open the attachment to become infected, just the e-mail message itself.
While rumors abound that the worm could be associated with the last Tuesdays terrorist attacks, U.S. Attorney General John Ashcroft said in a news conference today that there has been no evidence of a connection.
However, businesses still reeling from the events of last week are going to find Nimda adding insult to injury, said Arvind Narain, senior vice president of Internet services of McAfee.com.
“These are difficult times for businesses that have been hard-hit,” Narain said. “While some of the events may have been in only certain parts of America, it has a ripple effect, and companies are already dealing with loss.”
The reason Nimda is more threatening than Code Red is it can attack any one of 16 known vulnerabilities in Microsofts Internet Information Services 4.0 and 5.0 Web servers, whereas Code Red was only designed to attack one.
“The biggest twist is its like a Swiss army knife. It has a whole bunch of different ways to come at you,” Thompson said. Basically, Nimda has a key ring full of keys, and if one doesnt work, it simply uses the next one.
In fact, its aware of the Trojan horse left by Code Red variants, and looks for it on systems. If it finds the Trojan horse, it will activate it and use it to infect that system.
Also making Nimda more destructive is the fact that it is less selective of its victims. While Code Red infected primarily Windows 2000 servers running IIS 5.0, Nimda can infect almost anything, including the PCs of users who surf a Web site thats been infected with the Nimda worm, said Thompson.
If JavaScript is enabled on a users Windows-based browser – as most now are – and the user visits a Web site thats been infected, the users computer will also be infected.
Thompson warned, however, that much still needed to be learned about Nimda. The full ramifications of Code Red were still being discovered weeks after its initial release. Code Red contained less than 4,000 bytes of code. Nimda contains 54,000.
As for protection, anti-virus vendors such as F-Secure, McAfee, Symantec and Trend Micro are releasing updates to their software to deal with the problem, but new details are being discovered about Nimda all the time, McAfees Narain said.
“There are no guarantees and there are going to be variants of this particularly nasty rascal,” Narain warned.
Daniel Luzadder, Max Smetannikov and Todd Spangler contributed to this report.