September 28, 2001 4:00 PM PDT
Nimda resurgence falls flat
The e-mail component of the worm, which sends infected messages to each entry in an infected computer's Outlook address book, reactivates 10 days after the original infection. That part of the program had antivirus researchers and security experts worried that the Nimda worm was again set to spread quickly.
But Friday morning, 10 days after the first infections started to take hold, few signs heralded a return of the worm.
"We have been checking throughout the entire day, and we are not seeing anything," said John Harrington, director of marketing for e-mail filtering service MessageLabs. "Our gut feeling is that it is not going to happen."
According to MessageLabs' Web site, the company has detected fewer than 1,600 copies of the virus since the start of the epidemic 10 days ago.
Nimda--which is "admin," the shortened form of "system administrator," spelled backward--started spreading Sept. 18 and quickly infected PCs and servers around the world. Also known as "readme.exe" and "W32.Nimda," the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000.
The e-mail component of the worm sends Nimda-infected messages every 10 days, counting from when the victim was originally infected. Since the virus is thought to have started Sept. 18 at 8:30 a.m. PDT, the first new e-mails should have started going out early Friday.
Only a few infected computers may be left, however.
Anti-virus software maker Trend Micro said that while some companies reported infections Friday, the number is still low.
"We've seen a few infections in organizations that haven't done a complete cleaning, but it's limited," said company spokeswoman Susan Orbuch.
Furthermore, compromised servers and PCs without Outlook installed will only have a limited number of e-mail addresses to which to send messages. The worm also scans the browser cache on computers for saved Web pages that contain e-mail addresses and sends infected messages to those addresses as well.
Servers that aren't used to browse the Internet will not have such a cache.