BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Wednesday, 19 September, 2001, 16:22 GMT 17:22 UK
Nimda virus loose online
Graphic BBC
The new virus is more powerful than Code Red
A Windows worm that tries almost every trick in the book to infect computers is steadily spreading across the net.

The malicious program, named Nimda, attacks both personal computers and network servers. The virus can even be contracted just by browsing webpages generated by infected servers.

It spreads by plundering address books to generate lists of recipients it can send itself to, looks for common loopholes in some versions of Windows web server software and uses hijacked machines to search for more targets.

Although the worm is spreading quickly, experts said it was unlikely to cause widespread disruption - but they warned people to be on their guard.

Infection invitation

"The reason it's become so widespread is because it not only travels via e-mail but it contaminates websites as well," said Graham Cluley, senior technical consultant for Sophos Antivirus.

Once it has infected a web server, the Nimda worm scans the net for machines that have not installed patches for well-known vulnerabilities. It looks for the loophole that Code Red exploited, as well as 16 others.

This one is the Swiss Army knife of worms

Dan Ingevaldson, Internet Security Systems
It can affect machines running Windows 98, 95, Me, NT and 2000.

The worm may cause disruption to some networks because it makes infected machines carry out up to four times as many scans as those compromised by Code Red.

Infected machines also hide a copy of the virus on the webpages they display. Browsing these pages with certain unpatched versions of Internet Explorer will mean that machine is infected.

According to the Computer Emergency Response Team some browsers will automatically run the downloaded file.

Random attachment

The Nimda worm also uses other methods to spread. It scans webpages for e-mail addresses and sends a message to that site with a copy of the worm attached.

Avoiding Nimda
Be wary of unexpected blank e-mail messages with long subject lines and attachments
If you receive a message like this delete it without reading it
If you use Outlook with Windows 98 or Windows 2000, install Microsoft's security patch that stops viruses like Nimda
Install anti-virus software and keep it up to date
If you have been infected, use clean-up programs from anti-virus companies to expunge it from your computer
It can also interrogate copies of a program called Microsoft Exchange that many companies use as a "post office" for the e-mails and messages of their staff.

E-mail messages generated by the worm have a random subject line and attach a file plucked randomly from the hard drive of an infected PC. Riding alongside the attachment is a copy of the virus.

The worm can also copy itself to any shared directories it finds on networks it has compromised.

"This one is the Swiss Army knife of worms," said Dan Ingevaldson, a spokesman for Internet Security Systems. "It really seems to try everything."

Hijack attacks

Although the networks within some businesses have become clogged by the scanning activities of infected machines and e-mail messages they are generating, experts do not think Nimda will cause widespread disruption.

Since the Code Red scare in August, many vulnerable machines have been patched and far fewer are now at risk.

The panic over Code Red began when a variant of the original worm infected more than 250,000 machines in only a few hours. Analysis after the outbreak revealed that the web traffic jams attributed to Code Red were due to a train crash in a tunnel that severed key net cables.

Although some hackers have targeted websites seen as sympathetic to the terrorists behind last week's attack on the World Trade Centre, US Attorney General John Ashcroft said there was no sign that the release of Nimda was another retaliatory attack.

"There is no evidence at this time which links this infection to the terrorist attacks of last week," he said.

The FBI also warned that a group of hackers calling themselves the Dispatchers were set to launch attacks "against organisations associated with the perceived perpetrators of the 11 September, 2001, terror attacks."

The BBC's Adam Kirtley
"Overnight it spread like wildfire"
Graham Cluely, Technology Consultant
"It is a serious problem"
See also:

15 Aug 01 | Sci/Tech
Briton charged over computer worm
06 Aug 01 | Sci/Tech
New worm infects the net
02 Aug 01 | Sci/Tech
Code Red threat tailing off
01 Aug 01 | Sci/Tech
Code Red keeps world guessing
31 Jul 01 | Sci/Tech
Internet put on Code Red alert
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories