A new variant of the Nimda worm has appeared on the Internet, though exactly how it is different or whether it will be more or less serious than the original worm is so far undetermined, antivirus firms said Tuesday.
Nonetheless, users are cautioned to patch their systems as soon as possible to prevent infection.
The Nimda worm first wrought havoc across the ‘Net in mid-September, spreading itself as an e-mail attachment, Web traffic, through shared hard disks on networks and by infecting users who browsed Web pages hosted on infected servers. When spread as an e-mail, Nimda arrives as an attachment called “Readme.exe.” But when spread through infected Web pages, Nimda files are often automatically downloaded to a user’s computer with prompting. The original worm spread worldwide in about 30 minutes and caused some companies to forbid users from going online until patches and upgrades could be put in place.
Nimda had spawned three variants before Tuesday, Nimda.b, Nimda.c and Nimda.d, though none were particularly dangerous or different from the original, according to an alert released Tuesday by antivirus company Kasperksy Labs Ltd.
The newest version, however, Nimda.e, is a recompiled version of the original worm, according to both Kaspersky and TruSecure Corp. technical director of malicious code Roger Thompson. Thompson operates a network of “worm catcher” systems worldwide that discovered the first Nimda worm, though only one worm catcher has so far been hit by the new worm.
That the new variant is a recompiled version indicates that the original author has made changes to the worm and re-released it, Thompson said. Thompson has yet to fully analyze the new variant, but he did note that some changes had been made. The “Readme.exe” file has now been changed to “Sample.exe” and the worm now downloads system files called “cool.dll” and “httpodbc.dll” where it previously only fetched “admin.dll,” he said.
Some sub-routines in the code have also been modified, although what effect that will have isn’t yet clear, Thompson said.
Nimda was originally fought using a combination of e-mail and Web filters, antivirus updates and updates to Microsoft Corp.’s Internet Explorer Web browser, which is the browser exploited to automatically download the worm. Because the names of the files have been changed in this latest variant, administrators will have to change the file names they are filtering for, but it would be best if they blocked all .exe. files, Thompson said. He also cautioned users to upgrade their browsers.
While the current variant so far is “nowhere near the spread of the original Nimda,” the worm will likely pick up steam by attacking computers that weren’t sufficiently patched after the last outbreak, Thompson said.
“I don’t think too many people patched their browsers,” he said.
The users who did upgrade their browsers ought to be “pretty safe,” he said, but added that “if they defeated Nimda last time by updating their antivirus (software), then they could still be vulnerable.”
Users would be well-served to upgrade as Thompson expects more variants of the worm to appear in the future.
TruSecure is at http://www.trusecure.com/.
Kaspersky, in Moscow, is at http://www.kaspersky.com/.
All the appropriate patches and upgrades offered by Microsoft can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp