Nimda worm wreaks worldwide havoc

A new-style worm that was capable of infecting all 32-bit Windows computers and propagates using multiple methods spread across the world on Sept. 18, according to Roger Thompson, technical director of malicious code at TruSecure Corp.

The worm, called Nimda (admin spelled backwards), was able to spread via e-mail attachments, HTTP (Hypertext Transfer Protocol) or across shared hard disks inside networks, Thompson said. The worm could infect all 32-bit Windows systems – Windows 98, 2000, Millennium Edition, XP, NT – because it scanned systems for between 10 and 100 different vulnerabilities and exploits them when found, he said.

“It looks like they’ve made a Swiss Army Knife,” Thompson said, referring to the number of different tools the worm used to attack systems.

“Every Win32 system is going to be vulnerable, if not from one (vulnerability), then from another,” he said.

When spread by e-mail, Nimda arrived in inboxes as an attachment called “Readme.exe” or sometimes Readme.eml, Thompson said. The Readme file, however, had a malformed header (the data at the beginning of a file that allows a system to identify its type) which makes the computer think it is a WAV, or sound, file, he said. However, Readme.exe is in fact a program and can be executed just from the preview panel when viewing it without it being opened, he said.

Once the worm had infected a system, be it by HTTP, e-mail or disk sharing, it then scanned its local subnet (a chunk of the Internet) looking for vulnerable systems, Thompson said. Though some systems, such as those that are up to date on their patches, were protected behind firewalls or those that are filtering .exe attachments, were safe from some aspects of the worm, it spread via three methods, making it more difficult to stop, he said. The spread of the worm across shared disks, which are more than likely entirely unprotected, “is going to be a real pain,” he said at the time the worm broke.

The worm was discovered by Thompson’s worldwide network of “worm catcher” systems at 9:08 a.m. on Sept. 18, he said. Within half an hour, it had spread across the whole world, he said.

“(Nimda) is certainly much faster, much more aggressive and much bigger” than Code Red, Thompson said. Code Red was another recent worm that caused a good deal of damage and consternation for systems administrators worldwide.

Michael Erbschloe, vice-president of research at the Computer Economics consulting firm in Carlsbad, Calif., estimated that 2.2 million Nimda infections took place over one 24-hour period and placed the worldwide economic impact of the worm at US$531 million in cleanup costs and downtime.

“A lot of machines have to be taken out of service until they’re cleaned,” Erbschloe said, referring both to servers and desktops. He estimated that, of the 2.2 million infections, 65 per cent were servers and 35 per cent were desktops.

Erbschloe marvelled at Nimda’s destructive power.

“It’s the fastest worm I’ve seen,” he said. “We still face another US$200 million in inspecting systems and doing patching. In spite of the fact that we did a lot of patching during Code Red, a lot of machines haven’t been patched.”