Nimda rampage starts to slow

Companies are making headway in cleaning up after the Nimda virus. According to one researcher, the response to Nimda was faster and more effective than it was to Code Red.
Written by Robert Lemos, Contributor
Companies infected with the Nimda worm worked at cleaning the malicious program out of their computer systems Thursday, as the worm's spread continued to slow.

"From within six hours after it got going, we saw it retreat," said David Moore, senior researcher with the Cooperative Association for Internet Data Analysis, a supercomputing center at the University of California at San Diego. The spread of the virus peaked around noon Tuesday and has slowly decreased since then, according to CAIDA's analysis.

"The response (to Nimda) was faster and more effective than the response to Code Red," Moore said.

On Tuesday, the day the worm started to spread, the number of infected computer systems detected by CAIDA quickly climbed to a peak of 150,000. By Thursday, that number had dropped to almost 50,000.

Antivirus software companies said new infections were far less common 48 hours after the Nimda worm started to spread.

"Most of what we're dealing with today is company cleanup," said Vincent Gullotto, director of Network Associates' antivirus emergency research team. "The spreading has really started to die down. We will get new reports, but nothing near what we got that first day."

The retreat of the worm came as little comfort to some companies and organizations affected by the virus.

One nonprofit organization, which asked not to be identified, suffered almost two days of Web site and e-mail outages as a result of the worm's assault on its Internet service provider.

"It is very frustrating and infuriating to learn that this virus is hitting...systems...while our ISP uses the worm as a convenient excuse to cover the fact that perhaps maybe they were not up-to-date with protection," said the security administrator for the organization.

Another victim of the attack was the Web site of consumer-electronics maker Sonicblue. On Tuesday, the company's Web site was infected by the worm and quickly taken down.

"We are working to bring the site up as quickly as possible," said Frank Ponikvar, chief information officer for the company. "The good news is that our e-mail system remains up and running, so our employees have been able to continue their daily business without interruption."

The company did not say when the Web site was repaired, but by Thursday, the site was back online.

Customers of DSL provider XO Communications sent complaints to CNET News.com that Internet service had slowed to a crawl because of the worm.

"We began seeing problems the morning of the 18th," said XO Communications spokeswoman Jenna Dee. "When it became apparent that there was an issue, we were already being affected. Unfortunately it had already gotten into our DSL network."

XO, which provides high-speed Net access to more than 32,000 customers via digital subscriber lines, said the congestion on the network led to slow Net access speeds for an undetermined number of customers.

"It was like going back to dial-up. It was definitely not the same speeds they're used to," Dee said. "And it's painful going back in that direction." The company has since installed filters to block the most common ways the worm replicates and spreads.

Nimda--which is "admin," the shortened form of "system administrator," spelled backward--started spreading early Tuesday morning and quickly infected PCs and servers across the Internet. Also known as readme.exe and W32.Nimda, the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000.

The worm spreads by sending e-mail messages with infected attachments and then scanning for and infecting vulnerable Web servers running Microsoft's Internet Information Server software. It then copies itself to shared disk drives on business networks and appends JavaScript code to Web pages that will download the worm to surfers' PCs when they view the page.

On infected machines, the worm overwrites several critical files and appends a script to HTML files.

For a short time Wednesday, many thought Microsoft's Web sites had been infected.

Although the worm retreated in the United States, where it hit the hardest, Asian companies reported that the worm was still spreading there.

South Korea's Information and Communication Ministry said the number of infections was growing exponentially, as personal computer users were slow to take precautions, according to Reuters. A ministry statement said 3,711 cases were reported as of 11 a.m. local time Thursday, an 11-fold increase from the 327 reported Wednesday.

"Big companies appear to be taking measures quickly, but personal computer users are relatively slow in responding," an official at the ministry told Reuters.

The United States was still feeling the brunt of the attack, though, according to Network Associates' Gullotto.

"For every five companies in the States, there is only one that got infected in a different part of the world," he said. "The States got hit a lot harder."

News.com's Corey Grice, staff writer Richard Shim and Reuters contributed to this report.

Editorial standards