• PAGE ONE
• INDEX
• HOME

Nimda -- a terror, any which way

L.N. Revathy

N. Nagaraj

A NEW virus hit Internet and computer systems across the world on Wednesday. First reports indicate that it could be more damaging and costlier than the Code Red worm, and for most Indians, the SirCam virus.

The new virus, Nimda (which is `admin' spelt backwards), doesn't stop with just sending out infected e-mails, but also spreads through infected Web sites. The Nimda virus is versatile in that it has the ability to modify Web sites so that it can spread w hen Web pages are downloaded. This property makes it more virulent than earlier virus attacks.

According to Mr Joe Hartmann, Director of North American Anti-virus Research for Trend Micro, this complex virus appeared to be a compilation of several recent virus threats including BlueCode, which had taken the Internet by storm.

As of the latest information available at the time of writing, this virus does not erase or delete files in the infected computers. It only propagates itself to other systems through e-mail, shared drives in a network, or through Web sites. The problem i s that all the activity of the virus and its propagation takes up computer processing resources, generates so much traffic that it slows down the network. In some organisations, this can cause a huge loss by itself.

First reports indicated that the virus is transferred through an e-mail message that does not have a subject name, and containing a file readme.exe as an attachment disguised as a seemingly harmless audio file.

Later reports by security firms indicate that the e-mail subject line could vary, that the message body could be blank, and the name of the attachment could also vary and may use the icon for an Internet Explorer HTML document. First reports say that the size of the attachment is 57,344 bytes (57k). Later reports from infected users pegged it at a higher 68k.

Users of Microsoft Outlook Express are especially vulnerable to this virus as it exploits a vulnerability peculiar to the software's handling of MIME components. In layman terms, this means that it is more than enough to get infected if one just opens th e message or views the message in the preview pane.

This is because the virus itself is disguised as a file of some harmless format, and once the browser attempts opening the file, the virus comes to life and starts propagating. In the e-mail version, the virus starts sending copies of itself to e-mail ad dresses in the "contacts" list or address book.

This vulnerability in Outlook Express installations can be corrected by downloading a patch for MIME Headers from the Microsoft Web site.

In its avatar as a network virus, the bug first straightaway shares the disk into which it comes in, and then starts scanning for other open/shared directories. Once it finds another executable file, it replaces the file with a new version where the begi nning of the executable contains the virus code, and then the original program code follows. When the new version of the program is run, the whole process is repeated.

The Nimda virus also spreads through Web sites, and Web sites running on the Microsoft IIS are particularly susceptible. This is because of a particular vulnerability in the IIS software, and this had been earlier exploited by Code Blue/Code Red II. Micr osoft has since made downloads available to correct this vulnerability, and the patch is downloadable from its Web site.

The modus operandi of the worm is such that it will cause networks and Internet connections to slow down, and in extreme cases, make them unusable. This is a huge cost compared to a the impact of earlier-generation virus attacks. Some news reports in the international media have reported that experts have found that the virus is also capable of spreading through file transfer protocol (FTP) and Internet relay chat (IRC).

You will know if your machine is infected if you find unauthorised or unnecessary open network shares and/or the following files: admin.dll in the root folders of the local hard drives (c:\, d:\ or e:\), and/or readme.eml. Most major security software fi rms have released updates and/or fixes for detecting and removing the virus. Please check with the developer of your anti-virus software package or download a stand-alone fix.