X

New Nimda worm offshoot spreading

The variant is spreading in the Asia-Pacific, its files renamed to mimic existing Windows files. But will it get far?

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
3 min read
A new variant of the Nimda worm has started spreading slowly throughout the Asia-Pacific region, antivirus experts said Tuesday.

The variant, called Nimda.E, spreads using the same methods as the original worm, but its files have been renamed to mimic existing Windows files.

"The first report we received was in Korea at about 11 p.m. (6 a.m. Monday PST), shortly after we received similar reports in the U.S. and Australia as well," Anthony Kuo, regional technology manager for antivirus company Trend Micro, said in a statement.

By 5 p.m. PST Tuesday, about 3,900 infections had been reported to Trend Micro through its support lines in Asia and its free online virus scanner, placing the worm at No. 2 on the company's list of active infectors for that region.

However, Nimda.E hadn't even made it into the top-10 lists for the other regions the company tracks, suggesting the program would not spread very far.

Rival Network Associates agreed with that conclusion.

"I don't expect this to do much at all," said Vincent Gullotto, senior director of research for the security software company's antivirus emergency response team. "If people take the same precautions for any previous variants, they should be fine."

In fact, the only PCs that can be infected by Nimda.E are those that have not been secured in the aftermath of the original worm, which infected nearly 160,000 hosts, according to data from the Cooperative Association of Internet Data Analysis.

Like its parent, Nimda.E can infect PCs and servers in any of four ways: through an e-mail attachment, by scanning for vulnerable servers running Microsoft's Internet Information Server software and then exploiting a flaw in the software, through shared hard drives, and by fooling browsers into uploading the worm from infected Web servers.

So far, the e-mail method seems to be the most effective for the new version of the worm.

Nimda and Nimda.E gather e-mail see special report: Year of the Worm addresses from any e-mail program supporting the Messaging Application Programming Interface, or MAPI, including Microsoft Outlook and Outlook Express. The worm uses these e-mail addresses to fill in the "sender" and "recipient" fields for the messages it sends. Addresses from Web pages stored in a browser's cache also will be used.

Mail sent from the infected computer will appear to have been mailed by the people whose addresses have been mined by Nimda, not by the worm's victim.

The files that Nimda.E uses to infect computers are merely named differently, according to Trend Micro's advisory.

The file responsible for infecting hard drives shared across a network sports the label "csrss.exe," where the original worm used the name "mmr.exe." The worm that piggybacks on e-mails uses the name "sample.exe," rather than the original "readme.exe."

Finally, the file that is placed on a vulnerable server is now named "httpodbc.dll," where the original Nimda took its name from the file that it dropped--"admin.dll." ("Nimda" is "admin," short for "system administrator" spelled backward.)

Network Associates' Gullotto said that all in all, October has been subdued compared with previous months.

"It is rather quiet right now, which is a good thing," he said. "But is it the quiet before the storm? It is really hard to say."