Nimda set for a return

Researchers may have found a 'cyber-time bomb' in the code for the Nimda worm that will reactivate it exactly 10 days after its first occurrence
Written by Robert Lemos, Contributor

Code in the Nimda worm that orders the program to send infected email could cause a resurgence, security experts warned on Thursday.

Several security researchers dissecting copies of the worm found code that would reactivate the program 10 days from the time the host computer was originally infected.

However, because other components of the worm remain active -- making discovery of an infected system likely -- the extent of any renewed attacks would be diminished, said Elias Levy, chief technology officer of SecurityFocus.

"We don't think it will be anywhere near the magnitude of the original epidemic," Levy said. "But we'll probably see a slight increase in infections."

Other security researchers dissecting the worm's code also warned of the possibility of a new cycle of attacks.

"The virus (remains) dormant for 10 days," said Eliza Hamlet, spokeswoman for antivirus software maker Trend Micro. "So Nimda's re-infection timeline will be ongoing...not like Code Red, where on a certain day of every month or a certain time period of every month it was programmed to replicate itself."

Nimda -- which is "admin", the shortened form of "system administrator", spelled backward -- started spreading on 18 September and quickly infected PCs and servers around the world. Also known as "readme.exe" and "W32.Nimda", the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000.

The worm spreads by emailing itself as an attachment, scanning for -- and then infecting -- vulnerable Web servers running Microsoft's Internet Information Server software, copying itself to shared disk drives on networked PCs, and appending JavaScript code to Web pages that will download the worm to surfers' PCs when they view the page.

On infected machines, the worm overwrites several critical files and appends a script to HTML files. In addition, emails that Nimda sends have a corrupted subject line.

The email component of the worm sends Nimda-infected messages every 10 days, counting from when the victim was originally infected. Since the virus is thought to have started 18 September at 8:30am PDT, the first new email will be sent at the same time this Friday.

Because of the nonsensical subject lines, however, email may be the worm's least effective way of spreading.

Email screening service MessageLabs, which intercepts tens of thousands of virus-infected emails addressed to the company's customers, has seen fewer than 1,000 Nimda-carrying messages to date, according to its Web site.

Machines that have been cleaned of the virus are not in danger -- only those that remain infected.

News.com's Erich Luening contributed to this report.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

See the Internet News Section for full coverage.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards