New computer worm spreading rapidly

Information security officials reported Tuesday that a new computer worm was wreaking havoc on the Internet.

Called both W32.Minda and W32.nimda, the worm is very similar to the Code Red worm that ransacked Internet servers on July 19, infecting 250,000 computers in nine hours.

"It's taking advantage of the same vulnerability that Code Red did," said a government security official who asked not to be named. "But it's not Code Red, it's a new worm."

Internet traffic doubled as a result of the scanning caused by the worm, the official said.

Like Code Red, W32.nimda scans the Internet for servers running Microsoft Corp.'s Internet Information Services (IIS) software, versions 4.0 and 5.0. Computers with Windows NT 4.0 and Windows 2000 servers usually have IIS installed. Once the worm finds the software, it looks for a well-publicized vulnerability. The worm loads itself onto the server if the vulnerability exists. A simple software patch eliminates the vulnerability.

The W32.nimda worm is also capable of spreading through e-mail attachments, as the previous ILOVEYOU virus did. The e-mail contains an attachment, readme.exe, and has a blank subject line with no message. The Computer Emergency Response Team at Carnegie Mellon University said Internet users also could inadvertently be infected with the new worm simply by accessing certain Web pages of a compromised server.

Attorney General John Ashcroft said Tuesday that "there is no evidence at this point that links this infection with the terror attacks of last week."

Experts said the level of traffic caused by the worm shows that systems administrators didn't learn their lesson after the Code Red and Code Red II attacks. "Shame on systems administrators in government and industry who haven't taken measures to secure their systems," the federal official said.

Unlike Code Red, W32.nimda does not use affected computers for attacks on other systems. The new worm, which spreads much more rapidly than Code Red, seems to be aimed only at slowing down the Internet, said Sharon Ruckman, senior director of security response at Symantec, a provider of Internet security technology.

Ruckman warned that computers that have a Windows file-sharing capability activated are particularly vulnerable.

The worm comes on the heels of a Monday advisory, "Potential Distributed Denial of Service Attacks," from the FBI's National Infrastructure Protection Center warning agencies and businesses to be on the lookout for new virus attacks.

"On September 12, 2001," the advisory said, "a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers said they were targeting communications and finance infrastructures."

The group has claimed it has more than 1,000 computers under its control that could be used in denial-of-service attacks.