Dangerous New Worm Spreading

Security firms are sounding the alarm about a new Internet worm that appears to be spreading faster than Code Red. Peter Tippet, chief technologist at TruSecure Corp., says the security firm first noticed the worm, named Nimda, at 9:08 a.m. EDT Tuesday. Security sensors in various locations around the world, including the United States, New Zealand, Europe, and Asia, started getting hits from the worm within minutes of each other.

"This isn't Code Red or a variant of Code Red," Tippet says about the worm that infected several thousand servers running Microsoft Internet Information Services software in July. This worm is using at least a dozen vulnerabilities to spread. All of the vulnerabilities Nimda exploits are known and there are patches or software workarounds available.

Nimda infects servers running Microsoft's Internet Information Services software versions 4 and 5. It also infects and spreads from desktops running Windows ME, 2000, and 98.

It appears the worm spreads three ways: by directly locating vulnerable systems over the Internet and replicating itself in a similar way to Code Red; by infecting local shared drives; or is sent via E-mail where the worm comes as a file named README.EXE.

Security vendors recommend companies block all E-mail with "exe" attachments, filter E-mail for README.EXE, and make sure all IIS systems are either fully patched or removed from the network.

As of 11 this morning, TruSecure reported more than 11,000 infected systems, but expects the number of systems to climb much higher by the end of the day. More than a million systems could be vulnerable to infection. "It could be well over 100,000 by now," Tippet says, "and this one has the real potential to significantly hurt Internet performance."

Security researchers are studying the source code of the worm, and should know within a few hours if Nimda contains any type of destructive payload. TruSecure's security sensors are experiencing between 10 and 100 infection attempts per hour.