F-Secure warns about Nimda.E network worm

F-Secure Corporation (HEX:FSC) is alerting computer users worldwide about a new version of the infamous Nimda worm. Nimda.E has been modified probably by the original author of the worm.

The whole worm has been recompiled. As a result, most anti-virus programs which detected original Nimda did not detect Nimda.E without updates. Most of the filenames used by the Nimda worm have been renamed. For example, the attachment sent by the worm is now called SAMPLE.EXE instead of README.EXE. There are various code changes within the worm. Others have been apparently made to fix bugs within the original worm, other changes have introduced new bugs

It seems that the author of Nimda wanted the original worm to be named “Concept”. When this didn’t succeed, Nimda.E now includes a hidden copyright comment which says “Concept Virus(CV) V.6, Copyright(C)2001, (This’s CV, No Nimda.)”

Otherwise Nimda.E operates as Nimda.A: a multifaceted network worm using four different propagation methods: 1) Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation.

When Nimda.A went around the world in the middle of September, 2001, it infected over 2 million computers. It is estimated to be among the five biggest virus cases ever seen. Nimda caused big problems by generating massive amounts of network traffic in company internal networks.

“Nimda.E is not going to become nearly as bad as original Nimda.A was”, comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. “For one, most of the web sites that got infected with Nimda.A have been patched and can not get infected. Also, awareness is now much better.”

The most important spreading method of Nimda.A was jumping from web sites to another, using holes in Microsoft IIS web server. It is important to notice that a web site might be vulnerable to Nimda.E even if latest security patches have been applied. Nimda uses backdoors installed by worms such as Code Red to gain access to web sites, and if these backdoors haven’t been manually removed, reinfection might happen.

The worm uses several known security holes to spread. One of them enables the e-mail attachment to execute automatically when the e-mail attachment is read on some systems.

End users are adviced to avoid SAMPLE.EXE e-mail attachment, apply latest Outlook and Internet Explorer patches and download latest anti-virus updates.

F-Secure Anti-Virus is capable of detecting and stopping the Nimda virus. The detection of this virus was added on October 29th.

By October 31st, F-Secure had received reports of Nimda.E from USA, China, Sweden, Norway, Finland, France and Germany.

Technical details as well as a screenshot of the worm are posted at: http://www.f-secure.com/v-descs/nimda_e.shtml




Share this