Nimda floods corporate networks

The Nimda worms is filling corporate networks with traffic in exactly the way that experts feared Code Red would affect the Internet
Written by Matt Loney, Contributor

Several companies in the UK were brought to a standstill on Wednesday as the Nimda worm wreaked havoc on their internal networks. (See News Focus: "Nimda worm attacks the Web".)

While anti-virus vendors rated the worm as a low to medium destructive risk, its side effects have had a crippling effect on many company networks, and have been blamed by BT for knocking out several broadband exchanges.

Antivirus experts say that several factors are to blame for the problems. Servers within firewalls, they say, are particularly susceptible to Nimda since they are less likely to have been patched against the vulnerability that Code Red exploited. And the fact that Nimda infects workstations as well as servers, together with the high speed of many workstations and corporate networks, vastly increases the amount of network traffic Nimda generates.

"Basically what we were afraid Code Red would do on the Internet, Nimda is doing within single company networks," said Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "Code Red was staying outside firewalls, outside companies but Nimda gets inside, mainly through email, and once there just keeps bouncing around."

"Even though it [Nimda] is not meant to be destructive it has very serious side effects," Hypponen said. "Most importantly it is affecting the network traffic -- but it doesn't affect every company, it seems to depend on the network topology."

Hypponen said he did not know what types of network topology was particularly susceptible to Nimda, but said he had received reports from companies with dozens of offices and hundreds computers effectively taken out by one or two infected workstations.

"We have had media companies unable to access publishing, and unable to access their photo archives," said Hypponen. "That is a not purpose of the worm, but because they are running fast machines with fast connections the worm can scan [for vulnerable servers] fast, it generates a huge amounts of traffic".

An IT manager at a large UK company who asked not to be identified, said his company lost an entire day of productivity among "all developers and most staff" on Wednesday.

"The reason we found it to be disruptive was the precautionary measures more than anything," he said, but added that the worms practice of replacing some .EXE and .DLL files made those affected machines impossible to use. "It was only few here and there that were affected in this way, and not on every machine infected by any means. Some machines have had the virus but nothing else, while others have had executables replaced, so the applications would not work."

He said the second problem with the worm was its effect on security. "On one server it opened the C: drive as a shared volume for everyone to access," he said. Even so, he said the virus could have been much more destructive. "This did not format the hard drive, and it did not replace every executable, but it could easily have done so. It is a lot cleverer than most of the viruses we have seen in the last couple of years, which for the most part have been script kiddie viruses where there is a single point attack which, once you've fixed it, is fixed. This is much cleverer. It does a lot of things very surreptitiously."

On Wednesday BT blamed the Nimda virus for knocking out ADSL access from two of its exchanges; at London Lodge Hill and at Whitefield. By Thursday morning BT's Weston-super-Mare ADSL exchange was also experiencing problems, though the telco has not attributed this problem to Nimda.

Nimda spreads using several methods: as an email attachment; by scanning networks for vulnerable Microsoft IIS Web servers; by downloading itself through Internet Explorer from infected Web sites; and through LANs by using Microsoft Word.

Nimda spreads through LANs by dropping a hidden file called RICHED20.DLL on any network drive it can find that contains DOC or EML files. If a user tries to open a file from an infected folder using Microsoft Word, Wordpad and Outlook, then their PC becomes infected.

See the Viruses and Hacking News Section for the latest headlines.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards