Nimda worm wriggles throughout Asia
- — 19 September, 2001 08:55
Most of Asia has been put on worm alert as W32.Nimda, a mass-mailing worm, greeted users Wednesday morning by infecting their address books, computers and servers.
Nimda, which tops the high-risk list of anti-virus vendors' Web sites, is believed to be more widespread and costly than the Code Red viruses that caused an estimated US$2.6 billion in recovery costs, according to Network Associates Inc. (NAI), parent of anti-virus vendor, McAfee.
"We've received seven times the call volume in the Asia-Pacific region today, compared to any regular day," said Ric Byrnes, director of support and services for NAI Asia-Pacific.
Traffic on NAI's own Web site was so heavy that it had to put out an apology for slow page display.
The worm does not discriminate between users and has affected both enterprise and home computers, Byrnes said. The "cocktail virus" the worm contains can spread via e-mail, and has the potential to generate so much Internet traffic that it slows down networks, he said.
Once Nimda infects a machine, it attempts to reproduce itself in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans unpatched Internet Information Servers (IIS) looking for vulnerability and then attacks those servers. Finally, it searches for shared disk drives and tries to reach those devices, an NAI statement said.
However, a patch to the vulnerability that it exploits in Microsoft IIS has been available since the Code Red worm outbreak, and those who updated their anti-virus software would have been protected.
Ironically, Microsoft Co. Ltd. in Japan said MSN Japan servers were infected at 11pm Tuesday night for about an hour. The company warned that anyone who browsed the pages at that time might be infected.
The hour immediately after 11pm is the busiest time on Japan's Internet because NTT DoCoMo Inc.'s night-time rate telephone charges and flat-rate Internet access services start from 11pm.
Microsoft could not be reached for comment.
Also, Kyodo News Service said in a report that its servers were infected and also said those of the Chunichi Shimbun (newspaper) in Central Japan, Waseda University in Tokyo and Yamanashi Gakuin University were infected.
According to David Banes, regional manager for Symantec Corp.'s Emergency Response Team in Asia, there were Nimda reports from New Zealand, Australia, and Hong Kong.
Worms have become a trend in recent months. Just as there were macro viruses that attacked Microsoft Word documents and Microsoft Excel spreadsheets a few years ago, and Flash viruses, such as NakedWife.exe, worms are the "trend of the day," NAI's Byrnes said. "The danger is that (Nimda) has the ability to work through the Internet and intranets, as opposed to just e-mail," he said.
While some Internet security experts had warned of the potential for increased virus activity after last week's attacks on the World Trade Center and the Pentagon, there is no evidence that links Nimda to the U.S. attacks, anti-virus vendors said.
NAI said that customers should adopt a multilayered anti-virus strategy, to protect both e-mail as well as their Internet gateway points.
The impact of the Nimda worm in Asia-Pacific is still unknown, especially since virus writers could still pull apart the existing worm and create variants, Byrnes said.
"How quickly Nimda spreads is dependent on how many users have been exposed and how many have patched their systems," Symantec's Banes said. "As more people become aware and update their anti-virus software, you would hope the spread will slow down."