Weaker Variant of Nimda on the Loose

A new variant of the Nimda worm is on the loose on the Internet, but anti-virus experts say that it is unlikely to even approach the level of infection achieved by the original version.

Known as PE_Nimda.E, the new worm is quite similar to the one that wreaked havoc on Web servers and desktop PCs in September, but with a few key modifications. The code has apparently been recompiled by the author, and the name of the e-mail attachment containing the worm has been changed to Sample.exe, according to Roger Thompson, director of malicious code research at TruSecure Corp. in Herndon, Va.

The worm also tries to drop two .dlls—cool.dll and httpodbc.dll—instead of the one that the original Nimda virus installed.

What hasnt changed are the myriad methods through which Nimda is able to infect vulnerable machines. It can come in through an e-mail with an infected attachment, through a shared network drive, via an unpatched Web server running Microsoft Corp.s IIS software or through a vulnerable Web browser that accesses an infected HTML page.

Users who installed the patch for the IIS vulnerabilities that Nimda attacks should be protected against this new variant, Thompson said. But anyone who simply updated his or her anti-virus software and is relying on filtering is still vulnerable.

Thompson said he doubts Nimda.E will have the worldwide reach of its predecessor, but added that it could cause quite a bit of trouble if it gets inside some large networks.

“The world of infectable machines should be smaller. But networks tend to be hard and crunchy on the outside and soft and chewy on the inside,” Thompson said.