Code in the Nimda worm that orders the program to send infected e-mail could cause a resurgence, security experts warned Thursday.
Several security researchers dissecting copies of the worm found code that would reactivate the program 10 days from the time the host computer was originally infected.
However, because other components of the worm remain active--making discovery of an infected system likely--the extent of any renewed attacks would be diminished, said Elias Levy, chief technology officer of SecurityFocus.
"We don't think it will be anywhere near the magnitude of the original epidemic," Levy said. "But we'll probably see a slight increase in infections."
Other security researchers dissecting the worm's code also warned of the possibility of a new cycle of attacks.
"The virus (remains) dormant for 10 days," said Eliza Hamlet, spokeswoman for antivirus software maker Trend Micro. "So Nimda's re-infection timeline will be ongoing...not like Code Red, where on a certain day of every month or a certain time period of every month it was programmed to replicate itself."
Nimda--which is "admin," the shortened form of "system administrator," spelled backward--started spreading Sept. 18 and quickly infected PCs and servers around the world. Also known as "readme.exe" and "W32.Nimda," the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000.
On infected machines, the worm overwrites several critical files and appends a script to HTML files. In addition, e-mails that Nimda sends have a corrupted subject line.
The e-mail component of the worm sends Nimda-infected messages every 10 days, counting from when the victim was originally infected. Since the virus is thought to have started Sept. 18 at 8:30 a.m. PDT, the first new e-mail will be sent at the same time this Friday.
Because of the nonsensical subject lines, however, e-mail may be the worm's least effective way of spreading.
E-mail screening service MessageLabs, which intercepts tens of thousands of virus-infected e-mails addressed to the company's customers, has seen fewer than 1,500 Nimda-carrying messages to date, according to its Web site.
Machines that have been cleaned of the virus are not in danger--only those that remain infected.
News.com's Erich Luening contributed to this report.