Home & Office

New virus downloads itself from Web pages

The Nimda virus uses every trick in the book to spread, say virus experts, including email and IRC - it can even download itself through a browser from infected Web servers
Written by Matt Loney, Contributor

Antivirus companies are reporting a high incidence of a new virus, which they say is spreading fast by using every trick in the book -- including downloading itself from Web pages by exploiting a weakness in Internet Explorer.

The Nimda virus propagates itself through email, but antivirus vendors says it also uses another, more worrying, method to spread. A Code Red-like component will exploit the so-called index-server flaw in any Microsoft IIS Web server not patched against such attacks. But according to antivirus firm Sophos, the virus then uses that compromised Web server to spread itself through the browsers of people who visit Web sites hosted by that server.

"Rather than updating sites with a message like Code Red does, it attaches malicious Java script to the bottom of Web pages," said Graham Cluley, senior technology consultant at Sophos. "This means that if you go and browse a page and you don't have the correct security on your browser, it looks as though the Javascript attempts to forward the virus from your machine to everyone in your contacts book." Cluley said the suspicion is that only Internet Explorer is vulnerable to this exploit, but he stressed that until the virus has been properly analysed it is impossible to say for certain.

This method of spreading through Web pages could be the reason for the high number of reports, said Cluley. To find out how to prevent against and remove the Nimda virus, see ZDNet's Help and HowTo on the subject.

The Nimda virus -- its full name is W32/Nimda.A-mm -- was first detected on Tuesday afternoon. Messagelabs, which provides an email scanning service for its corporate customers, said it stopped more than a hundred copies of the virus attached to emails within an hour of the first incident, which arrived from Korea at 13.10GMT. Most of the Nimda email viruses captured on Tuesday afternoon by Messagelabs originated from the US, leading the company to speculate that this is where the virus originates from. When Nimda arrives in an email, it appears as an attachment named README.EXE. This is the same name used by another current virus called W32/Apost-A, so antivirus firms say many people should already be aware of attachments bearing that name.

However, Nimda also appears to be capable of spreading by other means. "My guess is we may also see it spread through Internet relay chat," said Alex Shipp, senior antivirus technologist at Messagelabs. And this may not be the end of it. "We have also found an FTP component in there," said Shipp. "It may be trying to download nasty stuff from some Web site somewhere -- we're still not sure. We know it is using FTP but we don't know how yet."

Antivirus companies on Tuesday said they did not yet know how much -- if any -- damage, the virus would cause. "We have it on a test PC in our labs and it hasn't damaged that," said Shipp. "But that doesn't mean it won't damage it tomorrow or the next day. We won't know until we have finished our analysis."

Messagelabs, like other antivirus firms, was still scrambling to analyse and understand the virus late on Tuesday.

See the Viruses and Hacking News Section for the latest headlines.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards