While the tally of systems infected by the Nimda worm remains unknown--quite possibly measured in the hundreds of thousands--the code is the most complicated malicious application to strike the Internet to date. This new breed of "malware" (neither a virus nor a worm, but a blend of both) spreads similarly to Code Red in that once it infects a computer, that system begins scanning for new victims to infect. And, just like the ILOVEYOU virus, Nimda also spreads via E-mail. Nimda can also infect unprotected computers used to browse Web sites on infected servers.

Nimda will infect unprotected desktops running Windows 95, 98, ME, NT, and 2000 servers. It spreads through a MIME (multipart/alternative) E-mail, which appears to contain no subject or message. The E-mail does contain a binary executable attachment named "readme.exe." According to the federally funded information-security group CERT Coordination Center, machines with Microsoft Outlook and Outlook Express can be infected by viewing or previewing tainted E-mail as well as by clicking on the readme.exe attachment.

Nimda tries to send copies of itself to all addresses it finds within the Windows address book. The desktop also begins searching for vulnerable Microsoft Internet Information Services software, looking for back doors left by the Code Red II and Sadmind/IIS worms, as well as other IIS vulnerabilities. If Nimda is successful in its search for vulnerable NT or 2000 servers, it will infect that machine.

Patches for all of the vulnerabilities have been available for months. They can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp . Microsoft has also published a tool that screens all incoming server requests, and helps prevent these types of attacks. URLscan is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571.

Nimda struck within days of warnings sounded by government agencies, including the FBI's InfraGard and the National Infrastructure Protection Center (NIPC). In the aftermath of the terrorist attacks, InfraGard warned U.S. agencies and companies that an increase in vigilante cyber attacks might follow. Then, on Sept. 17, NIPC warned that a group of hackers calling themselves the Dispatchers claimed to have begun network attacks against components of the information infrastructure. NIPC said that the group claimed they were targeting communications and financial concerns, and that they would be prepared to intensify their attacks Sept. 18.

The center warned companies, "There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place. The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties."

In a press conference Tuesday, U.S. Attorney General John Ashcroft predicted that the damage caused by Nimda could prove heavier than the Code Red outbreak in mid-July. Ashcroft also said that there is no currently known link between Nimda and the terrorist attack last week.

Despite Nimda containing a copyright notice claiming to have originated in China, experts remain cautious regarding Nimda's origin. "Anyone anywhere could have typed that," says Dan Ingevaldson, team leader for X-Force, Internet Security Systems Inc.'s research division.

Security experts urge network administrators to harden and patch their Microsoft NT and 2000 servers. Desktop users are similarly urged to update their antivirus software, as most major antivirus vendors have updates that protect against Nimda. Experts also urge all users of Microsoft Internet Explorer to make sure their browser security is enabled.