Nimda virus loose online

The new virus is more powerful than Code Red

A Windows worm that tries almost every trick in the book to infect computers is steadily spreading across the net.

The malicious program, named Nimda, attacks both personal computers and network servers. The virus can even be contracted just by browsing webpages generated by infected servers.

It spreads by plundering address books to generate lists of recipients it can send itself to, looks for common loopholes in some versions of Windows web server software and uses hijacked machines to search for more targets.

Although the worm is spreading quickly, experts said it was unlikely to cause widespread disruption - but they warned people to be on their guard.

Infection invitation

"The reason it's become so widespread is because it not only travels via e-mail but it contaminates websites as well," said Graham Cluley, senior technical consultant for Sophos Antivirus.

Once it has infected a web server, the Nimda worm scans the net for machines that have not installed patches for well-known vulnerabilities. It looks for the loophole that Code Red exploited, as well as 16 others.

This one is the Swiss Army knife of worms

Dan Ingevaldson, Internet Security Systems

It can affect machines running Windows 98, 95, Me, NT and 2000.

The worm may cause disruption to some networks because it makes infected machines carry out up to four times as many scans as those compromised by Code Red.

Infected machines also hide a copy of the virus on the webpages they display. Browsing these pages with certain unpatched versions of Internet Explorer will mean that machine is infected.

According to the Computer Emergency Response Team some browsers will automatically run the downloaded file.

Random attachment

The Nimda worm also uses other methods to spread. It scans webpages for e-mail addresses and sends a message to that site with a copy of the worm attached.

Avoiding Nimda

Be wary of unexpected blank e-mail messages with long subject lines and attachments

If you receive a message like this delete it without reading it

If you use Outlook with Windows 98 or Windows 2000, install Microsoft's security patch that stops viruses like Nimda

Install anti-virus software and keep it up to date

If you have been infected, use clean-up programs from anti-virus companies to expunge it from your computer

It can also interrogate copies of a program called Microsoft Exchange that many companies use as a "post office" for the e-mails and messages of their staff.

E-mail messages generated by the worm have a random subject line and attach a file plucked randomly from the hard drive of an infected PC. Riding alongside the attachment is a copy of the virus.

The worm can also copy itself to any shared directories it finds on networks it has compromised.

"This one is the Swiss Army knife of worms," said Dan Ingevaldson, a spokesman for Internet Security Systems. "It really seems to try everything."

Hijack attacks

Although the networks within some businesses have become clogged by the scanning activities of infected machines and e-mail messages they are generating, experts do not think Nimda will cause widespread disruption.

Since the Code Red scare in August, many vulnerable machines have been patched and far fewer are now at risk.

The panic over Code Red began when a variant of the original worm infected more than 250,000 machines in only a few hours. Analysis after the outbreak revealed that the web traffic jams attributed to Code Red were due to a train crash in a tunnel that severed key net cables.

Although some hackers have targeted websites seen as sympathetic to the terrorists behind last week's attack on the World Trade Centre, US Attorney General John Ashcroft said there was no sign that the release of Nimda was another retaliatory attack.

"There is no evidence at this time which links this infection to the terrorist attacks of last week," he said.

The FBI also warned that a group of hackers calling themselves the Dispatchers were set to launch attacks "against organisations associated with the perceived perpetrators of the 11 September, 2001, terror attacks."