A new e-mail and server worm that appears to be a retooled combination of several other successful worms — and which an Internet security firm says was first released almost to the exact minute of the one-week anniversary of the World Trade Center attacks — spread rapidly across the Internet on Tuesday.
But Attorney General John Ashcroft said in a press conference Tuesday afternoon that the worm does not appear to be connected to last week’s terrorist attacks.
This worm, named W32/Nimda.A-mm, is dangerously different than virtually all other e-mail and network-borne viruses: It can infect a computer when a user simply clicks on the subject line of an e-mail in an attempt to open it, or visits a Web page housed on an infected server.
And many of the infected machines now contain a gaping security hole, created by the worm, that will allow a malicious hacker complete access to the contents of an infected machine or network.
Nimda — Admin backwards — only infects computers running a Microsoft operating system and Microsoft’s e-mail, Web browser or Web server applications.
Nimda combines the worst features of Code Red and SirCam, two worms that have successfully spread across the Internet since June. Using previous worms’ proven infection techniques — along with some new twists — Nimda was able to spread at a ferocious pace.
“The rate of growth and spread (of W32/Nimda.A-mm) is exceedingly rapid — significantly faster than any worm to date and significantly faster than any variant of Code Red,” read an alert issued by TruSecure.
TruSecure’s release also said, “We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack.”
Security watchdog CERT issued an alert Tuesday morning, saying that there were reports of a “massive increase” in scans directed at port 80. These types of scans are the most common indicators of a worm attempting to infect other computers.
Many systems administrators reported Nimda scans spiking at several hundreds per hour on Tuesday, while Code Red typically averaged about 100 or so scans in the same time frame.
Code Red was deemed by the FBI to be so dangerous that it could bring down the entire Internet due to the increased traffic from the scans.
Nimda’s spread by e-mail had slowed significantly by late Tuesday afternoon.
Some security experts said that the worm’s efficiency acted against it.
“This worm was so fast moving, so potentially dangerous, that people saw it right away and responded,” said Steven Sundermeier, vice president of Central Command.
Antiviral companies, while scrambling to update their programs to protect against the virus, quickly released alerts advising systems administrators to scan all incoming email for the “readme.exe.” which blocked the virus from spreading rapidly two or so hours after the release.
But the worm was still hitting unpatched Web servers running Microsoft’s Internet Information services software. Security experts think that the worm may continue to pound servers for a long time, citing Code Red as an example. Although warnings were widely issued for Code Red a month prior to the worm going live, thousands of machines were and remain vulnerable to infection.
“Some people are unaware that they are running Web server software, or the software may be running on a seldom-used small server,” said Alex Shipp, Chief Techical Officer at MessageLabs..
The worm’s programming code does not seem to contain any credit referring to the timing or explaining the rationale of its release. The code does have a credit line reading “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China.”
The Concept virus is a well known “macro virus” that only infects Microsoft Word documents. The Nimda worm does not seem to share any code with the Concept virus.
It is not yet known whether the worm originated in China, as the credit seems to indicate, but some do say the first scans they received came from Asian networks.
Nimda sends itself by e-mail, as SirCam does, and also scans for and infects Web servers as Code Red does.
Most e-mails containing the W32/Nimda.A-mm worm do not have a visible attachment. The worm immediately activates and attempts to run a programming script as soon as the user clicks and opens the e-mail.
On infected computers, the virus reportedly creates a new “Guest Account” with no password, which allows any attacker to log on to infected computers and have full access to the contents of the computer or network.
Even those who have strong security settings in place may be affected, because the worm reportedly overwrites existing security settings to allow remote login and full access.
Besides altering system settings, once the virus is active, it attempts to infect all compressed files, such as ZIP archives on a computer’s hard drive, as the IRC worm called “readme.exe” does.
It then e-mails copies of itself to selected addresses in the infected computer’s Outlook e-mail address book and Web cache folders, and begins scanning the Internet for Web servers to infect.
The worm exploits a hole found last year by bug hunter George Guninski. The hole allows malicious hackers to force Microsoft’s Web browser and e-mail programs to automatically open small programming scripts embedded in Web pages or e-mail. These scripts can contain viruses or worms.
Guninski said the only workaround is to “Disable Active Scripting” in the Tools/Options/Security menu, which can be accessed from within Outlook or Explorer.
Outlook’s settings should be automatically altered after making the changes in Explorer, but users can repeat the exact same process detailed above to be sure the new settings have been applied. Disabling scripting will stop the virus from activating.
Servers running Microsoft’s IIE software need to be patched to prevent the worm from infecting them.
Central Command’s Sundermeier said that initial analysis indicates that the worm attacked servers via the “Unicode Web Traversal” exploit, in the same manner as a Code Red variant, CodeBlue.
Information and a patch for this exploit are located on Microsoft’s website.
There is no easy way to remove the virus from infected computers yet. Users should check their antiviral software vendors’ site for a fix. Ashcroft said that all antiviral software vendors contacted said they expected to release a fix by late Wednesday afternoon.
Some systems administrators are removing the worm manually from infected computers by deleting the registry key “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunmacrosoft”, restarting the computer and then deleting “README.EXE” from the Windows system directory as well as from the root directory of all local drives.
E-mails with long subject names such as “desktopsamplesdesktopsamples” are a particular indication of the virus, but some copies are arriving with short names such as “xboot” and “sample.”
When clicked, depending on a particular system’s configuration, a dialog box may open asking if “readme.exe” should be opened or saved to file. Regardless of the chosen option, the virus has been activated.
Currently, the only way to avoid the virus is to disable scripting and, to be on the safe side, to refrain from opening any e-mail that is unexpected, or whose subject line does not relate to an on-going conversation.