.COMmentary: Meet Mr. Nimda Worm
By Mike Lotz
Meet Mr. Nimda Worm
By Mike Lotz
What do you get if you take the last five Internet worms and put them in a blender? Thats what Nimda (w32.Nimda.a@mm) isa combination of Code Red, Code Blue, Apost, Magistr.B and SirCam. Its brilliant, but at the same time very evil. Some people laughed when the FBI held a press conference in early August to warn that Code Red could slow down, if not shut down, the Internet. But no one was laughing on Tuesday, September 18, when the Net actually appeared to slow worldwide.
For a time on Tuesday, it seemed as if two separate worms had been unleashed, due to the fact that IIS servers were being hit, and MS Outlook users were experiencing a virus-like attack. When it became apparent that these events were from the same worm, we realized someone really set out to cause damage on the Internet.
Whats really scary about Nimda is that it uses not one or two, but four different methods to spread. Nimda scans the Internet looking for vulnerable IIS servers, similar to Code Red. It also sends mass e-mail like SirCam and Apost do. And Nimda looks for open network shares in a way similar to Magistr.B. But Nimda also maliciously rewrites web-page code.
Nimda anonymously changes the Web page on an infected server so that a whole new audienceWindows PC userscan become infected and further spread the worm. Users randomly surfing the Internet may find a familiar web site has been replaced with a screen informing them that they have chosen to download a file readme.exe. What would you like to do with this file? For some users, the choice is easy (but not good): The file is automatically downloaded onto their hard drive.
Given the great success of Nimda, I fear were going to see more of these aggressive worms. How can we stay ahead? We can start by patching our software faithfully and be very careful opening unknown e-mail attachments.
If you have any questions or comments, please email me at firstname.lastname@example.org