Major new worm poses serious threat

ITworld.com |  Security

A new worm that can infect all 32-bit Windows computers and propagates using multiple methods has spread across the world Tuesday morning, according to Roger Thompson, technical director of malicious code at TruSecure Corp.

The worm, called Nimda (admin spelled backwards), can spread via e-mail attachments, HTTP (Hypertext Transfer Protocol) or across shared hard disks inside networks, Thompson said. The worm can infect all 32-bit Windows systems -- Windows 98, 2000, Millennium Edition, XP, NT -- because it scans systems for between 10 and 100 different vulnerabilities and exploits them when found, he said.

"It looks like they've made a Swiss Army Knife," Thompson said, referring to the number of different tools the worm can use to attack systems.

"Every Win32 system is going to be vulnerable, if not from one (vulnerability), then from another," he said.

When spread by e-mail, Nimda arrives in inboxes as an attachment called "Readme.exe" or sometimes Readme.eml, Thompson said. The Readme file, however, has a malformed header (the data at the beginning of a file that allows a system to identify its type) which makes the computer think it is a WAV, or sound, file, he said. However, Readme.exe is in fact a program and can be executed just from the preview panel when viewing it without it being opened, he said.

Once the worm has infected a system, be it by HTTP, e-mail or disk sharing, it then scans its local subnet (a chuck of the Internet) looking for vulnerable systems, Thompson said. Though some systems, such as those that are up to date on their patches, are protected behind firewalls or those that are filtering .exe attachments, will be safe from some aspects of the worm, that it spreads via three methods makes it more difficult to stop, he said. The spread of the worm across shared disks, which are more than likely entirely unprotected, "is going to be a real pain," he said.

The worm was discovered by Thompson's worldwide network of "worm catcher" systems at 9:08 a.m ET Tuesday, he said. Within half an hour, it had spread across the whole world, he said.

"(Nimda) is certainly much faster, much more aggressive and much bigger" than Code Red, Thompson said. Code Red was another recent worm that caused a good deal of damage and consternation for systems administrators worldwide.

Though Code Red did not ultimately have an impact on Internet performance despite some initial claims to the contrary, "we may actually see a hit on the Internet (and its performance)" with Nimda, Thompson said.

Computer security bodies the Computer Emergency Response Team/Coordination Center (CERT/CC) and Incidents.org both issued alerts about increased activity on the Internet Tuesday, stating that the activity may be related to the worm.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question