Meet the brilliant (yet evil) Nimda worm

COMMENTARY--What if you took the last five Internet worms and put them in a blender? That's what Nimda (w32.Nimda.a@mm) is--a combination of Code Red, Code Blue, Apost, Magistr.B, and SirCam. It's brilliant, and at the same time very evil. Some of us laughed when the FBI held a press conference in early August to warn that Code Red could slow down, if not shut down, the Internet. But no one was laughing on Tuesday, Sept. 18, when the Net actually appeared to slow worldwide.

For a time on Tuesday, it seemed as if two separate worms had been unleashed. Initial reports came in that IIS servers were being hit with a possible Code Red variant and that Outlook users were experiencing a new worm. When it became apparent these events were from the same worm, it gave most of us who follow viruses and worms great pause. Someone really set out to cause damage on the Internet this week.

Why would anyone do this? Well, mostly to prove that it could be done. Nimda is what's called a "proof-of-concept" worm. Often such worms have fatal flaws (after all, they are striking out into new territory). Unfortunately, Nimda did not have any obvious flaws; within a few hours, it managed to crawl around the world. By midday here in the United States, several IIS-served Web sites dropped off the Net.

(By the way, the multiple IIS vulnerabilities that Nimda seeks can be patched with the cumulative IIS patch available from Microsoft.)

What's really scary about Nimda is that it uses not one or two, but four different methods to spread--talk about aggressive! Nimda scans the Internet looking for vulnerable IIS servers, which makes it similar to Code Red and Code Blue. It also sends mass e-mail like SirCam and Apost do (in fact, it uses the same attachment, readme.exe, that Apost used). And Nimda looks for open network shares in a way similar to Magistr.B. But what's really menacing is its use of malicious Web-page content. Until now, we've been warned about this kind of malicious code attack, but haven't really seen it used to great advantage.

Spreading malicious code via JavaScript and ActiveX on individual Web pages has been tried, though with very limited success. It's too easy to get caught. One has to entice a viewer to the infected page, providing that the ISP hasn't taken down the site already. And with increasing criminal liabilities associated with virus outbreaks, virus writers haven't embraced Web sites as a means to promote their skills.

But with Nimda, we have a mobile worm that anonymously changes the Web page on an infected server so that a whole new audience--Windows PC users--can become infected and further spread the worm. Users randomly surfing the Internet may find a familiar Web site has been replaced with a screen informing them that they have chosen to download a file readme.exe. "What would you like to do with this file?" For some users, the choice is easy (but not good): The file is automatically downloaded onto their hard drive.

How'd that happen? Turns out there's a known vulnerability in Internet Explorer 5.01 and earlier that allows code on Web pages to execute automatically. A number of users who had never heard of this vulnerability suddenly found themselves contending with the mass e-mailing Nimda worm on their PCs. To avoid the Internet Explorer's "automatic execution of embedded MIME types" vulnerability, users should patch or upgrade Internet Explorer. Users of IE 5.01 will need to download this patch. Those wanting to upgrade can choose IE 5.5 SP2 or IE 6.0.

Given the success of Nimda, I fear we're going to see more of these aggressive worms. How can we stay ahead? We can start by patching our software faithfully. It's no longer enough not to open attachments. The virus writers have just demonstrated that they can reach us a number of different ways.

Did you get hit by Nimda? Does this mark the beginning of a whole new breed of worms? TalkBack to me.