Security experts warn of Nimda resurrection

Code in the Internet worm resends virulent e-mails to a compromised PC's entire address book exactly 10 days after the original infection, say security analysts.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Code in the Nimda worm that orders the program to send infected e-mail could cause a resurgence, security experts warned Thursday.

Several security researchers dissecting copies of the worm found code that would reactivate the program 10 days from the time the host computer was originally infected.

However, because other components of the worm remain active--making discovery of an infected system likely--the extent of any renewed attacks would be diminished, said Elias Levy, chief technology officer of SecurityFocus.

"We don't think it will be anywhere near the magnitude of the original epidemic," Levy said. "But we'll probably see a slight increase in infections."

Other security researchers dissecting the worm's code also warned of the possibility of a new cycle of attacks.

"The virus (remains) dormant for 10 days," said Eliza Hamlet, spokeswoman for antivirus software maker Trend Micro. "So Nimda's re-infection timeline will be ongoing...not like Code Red, where on a certain day of every month or a certain time period of every month it was programmed to replicate itself."

Nimda--which is "admin," the shortened form of "system administrator," spelled backward--started spreading Sept. 18 and quickly infected PCs and servers around the world. Also known as "readme.exe" and "W32.Nimda," the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000.

The worm spreads by e-mailing itself as an attachment, scanning for--and then infecting--vulnerable Web servers running Microsoft's Internet Information Server software, copying itself to shared disk drives on networked PCs, and appending JavaScript code to Web pages that will download the worm to surfers' PCs when they view the page.

On infected machines, the worm overwrites several critical files and appends a script to HTML files. In addition, e-mails that Nimda sends have a corrupted subject line.

The e-mail component of the worm sends Nimda-infected messages every 10 days, counting from when the victim was originally infected. Since the virus is thought to have started Sept. 18 at 8:30 a.m. PDT, the first new e-mail will be sent at the same time this Friday.

Because of the nonsensical subject lines, however, e-mail may be the worm's least effective way of spreading.

E-mail screening service MessageLabs, which intercepts tens of thousands of virus-infected e-mails addressed to the company's customers, has seen fewer than 1,500 Nimda-carrying messages to date, according to its Web site.

Machines that have been cleaned of the virus are not in danger--only those that remain infected.

News.com's Erich Luening contributed to this report.