"This isn't Code Red or a variant of Code Red," Tippet says about the worm that infected several thousand servers running Microsoft Internet Information Services software in July. This worm is using at least a dozen vulnerabilities to spread. All of the vulnerabilities Nimda exploits are known and there are patches or software workarounds available.
Nimda infects servers running Microsoft's Internet Information Services software versions 4 and 5. It also infects and spreads from desktops running Windows ME, 2000, and 98.
It appears the worm spreads three ways: by directly locating vulnerable systems over the Internet and replicating itself in a similar way to Code Red; by infecting local shared drives; or is sent via E-mail where the worm comes as a file named README.EXE.
Security vendors recommend companies block all E-mail with "exe" attachments, filter E-mail for README.EXE, and make sure all IIS systems are either fully patched or removed from the network.
As of 11 this morning, TruSecure reported more than 11,000 infected systems, but expects the number of systems to climb much higher by the end of the day. More than a million systems could be vulnerable to infection. "It could be well over 100,000 by now," Tippet says, "and this one has the real potential to significantly hurt Internet performance."
Security researchers are studying the source code of the worm, and should know within a few hours if Nimda contains any type of destructive payload. TruSecure's security sensors are experiencing between 10 and 100 infection attempts per hour.