Skip to main content /TECH with /TECH

New 'Nimda' variant hits Net, users urged to patch


(CNN) -- A new variant of the "Nimda" worm has appeared on the Internet, although exactly how it's different or whether it will be more or less serious than the original worm is so far undetermined, anti-virus firms said Tuesday. Nonetheless, users are cautioned to patch their systems as soon as possible to prevent infection.

The Nimda worm first wrought havoc on the Internet in mid September, spreading itself as an e-mail attachment. It also moved through shared hard disks on networks and by infecting users who browsed Web pages hosted on infected servers. When spread as an e-mail, Nimda arrives as an attachment called "Readme.exe."

But when spread through infected Web pages, Nimda files are often automatically downloaded to a user's computer with prompting. The original worm spread worldwide in about 30 minutes and caused some companies to forbid users to go online until patches and upgrades could be put in place.

Nimda had spawned three variants before Tuesday: "Nimda.b," "Nimda.c," and "Nimda.d," although none were particularly dangerous or different from the original, according to an alert released Tuesday by anti-virus company Kasperksy Labs.

The newest version, however, "Nimda.e," is a recompiled version of the original worm, according to both Kaspersky and to TruSecure technical director of malicious code Roger Thompson. Thompson operates a network of "worm catcher" systems worldwide that discovered the first Nimda worm, although only one worm catcher has so far been hit by the new worm.

That the new variant is a recompiled version indicates that the original author has made changes to the worm and re-released it, Thompson said. Thompson has yet to fully analyze the new variant, but he did note that some changes had been made. The "Readme.exe" file has now been changed to "Sample.exe," and the worm now downloads system files called "cool.dll" and "httpodbc.dll" where it previously only fetched "admin.dll," he said.

Some sub-routines in the code have also been modified, although what effect that will have isn't yet clear, Thompson said.

Nimda was originally fought using a combination of e-mail and Web filters, anti-virus updates, and updates to Microsoft's IE (Internet Explorer) Web browser, which is the browser exploited to automatically download the worm. Because the names of the files have been changed in this latest variant, administrators will have to change the file names they are filtering for, but it would be best if they blocked all .exe. files, Thompson said. He also cautioned users to upgrade their browsers.

Although the current variant so far is "nowhere near the spread of the original Nimda," the worm will likely pick up steam by attacking computers that weren't sufficiently patched after the last outbreak, Thompson said.

"I don't think too many people patched their browsers," he said.

The users who did upgrade their browsers ought to be "pretty safe," he said, but added that "if they defeated Nimda last time by updating their anti-virus [software], then they could still be vulnerable."

Users would be well-served to upgrade as Thompson expects more variants of the worm to appear in the future.


See related sites about Tech
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top