|
In a press conference on Tuesday the U.S. Attorney General John Ashcroft compared the worm and its effects to "Code Red", which infected computers around the world earlier this year. The new bug is called "Nimda," which is admin spelled backwards. Ashcroft said that the FBI is currently working with individuals in the private sector in its investigation of the cyber threat.
He also said the Bureau had found no evidence that the global assault on computers was in any way connected to the recent terrorist acts in the United States. Ashcroft stressed the seriousness of the threat and said the worm had the potential to impact the speed of the Internet on a global basis.
Symantec and Network Associates have also received multiple reports of this worm and have assigned preliminary threat ratings of "level 4" (of 5) and "high risk" respectively. Many analysts and security experts have commented on the speed at which the bug spreads and the insidious ferocity of its attacks following the initial reports of its existence at around 6am EST on Tuesday.
"We've had numerous customers in Ireland reporting that they have either repelled it on their e-mail servers, or that their Web servers have been probed by infected systems searching for vulnerabilities," said Dermot Williams, managing director of Systemhouse Technology Group in Dublin. "Our own Web server has logged more than 750 attempts so far."
It is understood that the virus-like code includes a file called "admin.dll" that helps itself spread across computer networks and although the bug does not destroy data, it adds or modifies files making it extremely difficult to remove from infected computers. Thus far, reported infections have been spread when users open e-mail attachments typically with the file names readme.exe, getadmin.dll, wininit.dll, and other variations of those filenames.
An ominous aspect of Nimda is its potential ability to spread when Web surfers visit Web pages that have been infected, however currently there is no evidence that the virus has spread in this manner.
On Wednesday morning Microsoft reported that some of the contents carried on its Japanese-language Internet site were infected by the Nimda virus. The company has since warned that users who accessed the Microsoft Web site before 11pm Tokyo time on Tuesday should not use Internet services until they receive a protective patch.
The US National Infrastructure Protection Center (NIPC) on Tuesday said it had has received numerous W32.Nimda.A@MM reports and that the software is propagating extensively through the Internet worldwide. The US government agency said the Nimda worm threatens Microsoft Internet Information Services on Windows 2000 and NT Web servers and also individual users running Microsoft Outlook or Outlook Express for their mail service on any Windows platform (95, 98, and Millennium Edition).
"Preliminary analysis indicates that once a server is infected it will begin to scan for more vulnerable systems on the local network, which may result in a denial of service for that network," said the NIPC. "In the case of infected workstations as well as servers, the worm also makes the entire contents of the local primary hard drive (e.g. C Drive) available over the network. It is also believed that an additional user is added with administrative rights."
The agency has issued recommendations to network administrators to protect their systems and has urged individual users not to open unexpected e-mails.
Anti-virus patches are available at http://www.antivirus.com (Trend Micro), http://www.ca.com (Computer Associates), http://www.symantec.com and http://vil.nai.com (McAfee).
|
