October 30, 2001 4:55 PM PST

New Nimda worm offshoot spreading

Related Stories

Worms continue Internet attacks

September 25, 2001

Nimda still a global threat

September 24, 2001

New studies reveal Nimda's tenacity

September 21, 2001

Year of the Worm

March 15, 2001
A new variant of the Nimda worm has started spreading slowly throughout the Asia-Pacific region, antivirus experts said Tuesday.

The variant, called Nimda.E, spreads using the same methods as the original worm, but its files have been renamed to mimic existing Windows files.

"The first report we received was in Korea at about 11 p.m. (6 a.m. Monday PST), shortly after we received similar reports in the U.S. and Australia as well," Anthony Kuo, regional technology manager for antivirus company Trend Micro, said in a statement.

By 5 p.m. PST Tuesday, about 3,900 infections had been reported to Trend Micro through its support lines in Asia and its free online virus scanner, placing the worm at No. 2 on the company's list of active infectors for that region.

However, Nimda.E hadn't even made it into the top-10 lists for the other regions the company tracks, suggesting the program would not spread very far.

Rival Network Associates agreed with that conclusion.

"I don't expect this to do much at all," said Vincent Gullotto, senior director of research for the security software company's antivirus emergency response team. "If people take the same precautions for any previous variants, they should be fine."

In fact, the only PCs that can be infected by Nimda.E are those that have not been secured in the aftermath of the original worm, which infected nearly 160,000 hosts, according to data from the Cooperative Association of Internet Data Analysis.

Like its parent, Nimda.E can infect PCs and servers in any of four ways: through an e-mail attachment, by scanning for vulnerable servers running Microsoft's Internet Information Server software and then exploiting a flaw in the software, through shared hard drives, and by fooling browsers into uploading the worm from infected Web servers.

So far, the e-mail method seems to be the most effective for the new version of the worm.

Nimda and Nimda.E gather e-mail see special report: Year of the Worm addresses from any e-mail program supporting the Messaging Application Programming Interface, or MAPI, including Microsoft Outlook and Outlook Express. The worm uses these e-mail addresses to fill in the "sender" and "recipient" fields for the messages it sends. Addresses from Web pages stored in a browser's cache also will be used.

Mail sent from the infected computer will appear to have been mailed by the people whose addresses have been mined by Nimda, not by the worm's victim.

The files that Nimda.E uses to infect computers are merely named differently, according to Trend Micro's advisory.

The file responsible for infecting hard drives shared across a network sports the label "csrss.exe," where the original worm used the name "mmr.exe." The worm that piggybacks on e-mails uses the name "sample.exe," rather than the original "readme.exe."

Finally, the file that is placed on a vulnerable server is now named "httpodbc.dll," where the original Nimda took its name from the file that it dropped--"admin.dll." ("Nimda" is "admin," short for "system administrator" spelled backward.)

Network Associates' Gullotto said that all in all, October has been subdued compared with previous months.

"It is rather quiet right now, which is a good thing," he said. "But is it the quiet before the storm? It is really hard to say."

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.