Son of Nimda on the attack

A Nimda variant is reported to be spreading through Asia, and computers which were not secured against the original worm are at risk
Written by Robert Lemos, Contributor

A new variant of the Nimda worm has started spreading slowly throughout the Asia-Pacific region, antivirus experts said on Tuesday.

The variant, called Nimda.E, spreads using the same methods as the original worm, but its files have been renamed to mimic existing Windows files.

"The first report we received was in Korea at about 11 pm on Monday (2pm GMT), shortly after we received similar reports in the US and Australia as well," Anthony Kuo, regional technology manager for antivirus company Trend Micro, said in a statement.

By 1am GMT today (Wednesday), about 3,900 infections had been reported to Trend Micro through its support lines in Asia and its free online virus scanner, placing the worm at No. 2 on the company's list of active infectors for that region.

However, Nimda.E hadn't even made it into the top-ten lists for the other regions the company tracks, suggesting the program would not spread very far.

Rival Network Associates agreed with that conclusion.

"I don't expect this to do much at all," said Vincent Gullotto, senior director of research for the security software company's antivirus emergency response team. "If people take the same precautions for any previous variants, they should be fine."

In fact, the only PCs that can be infected by Nimda.E are those that have not been secured in the aftermath of the original worm, which infected nearly 160,000 hosts, according to data from the Cooperative Association of Internet Data Analysis.

Like its parent, Nimda.E can infect PCs and servers in any of four ways: through an email attachment, by scanning for vulnerable servers running Microsoft's Internet Information Server software and then exploiting a flaw in the software, through shared hard drives, and by fooling browsers into uploading the worm from infected Web servers.

So far, the email method seems to be the most effective for the new version of the worm.

Nimda and Nimda.E gather email addresses from any email program supporting the Messaging Application Programming Interface, or MAPI, including Microsoft Outlook and Outlook Express. The worm uses these email addresses to fill in the "sender" and "recipient" fields for the messages it sends. Addresses from Web pages stored in a browser's cache also will be used.

Mail sent from the infected computer will appear to have been mailed by the people whose addresses have been mined by Nimda, not by the worm's victim.

The files that Nimda.E uses to infect computers are merely named differently, according to Trend Micro's advisory.

The file responsible for infecting hard drives shared across a network sports the label "csrss.exe," where the original worm used the name "mmr.exe." The worm that piggybacks on e-mails uses the name "sample.exe," rather than the original "readme.exe."

Finally, the file that is placed on a vulnerable server is now named "httpodbc.dll," where the original Nimda took its name from the file that it dropped--"admin.dll." ("Nimda" is "admin," short for "system administrator" spelled backward.)

Network Associates' Gullotto said that all in all, October has been subdued compared with previous months.

"It is rather quiet right now, which is a good thing," he said. "But is it the quiet before the storm? It is really hard to say."

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards