FBI investigating new Internet worm, thousands of computers targeted

By D. Ian Hopper

Associated Press

WASHINGTON – Attorney General John Ashcroft Tuesday warned computer users about a new Internet threat that could slow the global network worse than the “Code Red” worm that struck earlier this summer.

Ashcroft said the FBI and private firms are assessing the effects of the program, known as “W32-Nimda,” which has affected possibly tens of thousands of computers. As the program spreads, its activity can slow or shut down Internet service for regular users.

“The scanning activity thus far indicates that this could be heavier than the July activity of Code Red,” Ashcroft said.

But Ashcroft dismissed the idea that Nimda is related to the attacks in New York and Washington.

“There is no evidence at this time which links this infection with the terrorist attack of last week,” he said.

Code Red mobilized law enforcement agencies and private companies in an unprecedented effort, as the Internet worm infected hundreds of thousands of computers and threatened a meltdown of the Internet. They implored computer users to install protective software.

All major antivirus companies now offer software to protect against Nimda.

On security e-mail lists, system administrators nationwide reported unprecedented activity related to the worm, which tries to break into Microsoft’s Internet Information Services software. That software was the same targeted by Code Red, and is typically found on computers running Microsoft Windows NT or 2000.

Most home users, including those running Windows 95, 98 or ME, are not affected.

Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft’s IIS, including the security hole left in some computers by the “Code Red II” worm, which followed Code Red in August.

Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft’s Web site.

“It’s causing enormous pain because it is at least an order of magnitude more aggressive than Code Red,” said Alan Paller, director of research at the nonprofit SANS Institute. “It’s a pretty vigorous attacker.”

In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called “README.EXE.” Antivirus experts warn that users shouldn’t open unexpected attachments.

Efforts to isolate and track the worm were hampered by the swiftness of the attack. Vincent Gullotto, head antivirus researcher for McAfee.com, said the first report came at about 9 a.m. EDT, from a site in Norway.

“It’s taken down entire sites,” Gullotto said. “I can’t even get to the Internet right now.”

On Monday, the FBI’s National Infrastructure Protection Center warned that a hacker group called the “Dispatchers” said they would attack “communications and finance infrastructures” on or about Tuesday.

“There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,” officials said in a warning on the NIPC Web site.

However, the Dispatchers group has recently defaced Middle Eastern Web sites in an apparent retaliation for last week’s attacks – a job that is far easier than creating a powerful Internet worm.

Antivirus firm F-Secure discovered that the message “Copyright 2001 R.P.China” is present in the worm, indicating a possible – but far from definite – link to China.

Last week, the FBI warned that there could be an increase in hacking incidents after the terrorist attacks. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online.

On the Net:

McAfee.com: http://www.mcafee.com

SANS: http://www.sans.org

National Infrastructure Protection Center: http://www.nipc.gov

Copyright ©2001 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Talk to us

More in Local News

An example of the Malicious Women Co. products (left) vs. the Malicious Mermaid's products (right). (U.S. District Court in Florida)
Judge: Cheeky candle copycat must pay Snohomish company over $800K

The owner of the Malicious Women Co. doesn’t expect to receive any money from the Malicious Mermaid, a Florida-based copycat.

A grave marker for Blaze the horse. (Photo provided)
After Darrington woman’s horse died, she didn’t know what to do

Sidney Montooth boarded her horse Blaze. When he died, she was “a wreck” — and at a loss as to what to do with his remains.

A fatal accident the afternoon of Dec. 18 near Clinton ended with one of the cars involved bursting into flames. The driver of the fully engulfed car was outside of the vehicle by the time first responders arrived at the scene. (Whidbey News-Times/Submitted photo)
Driver sentenced in 2021 crash that killed Everett couple

Danielle Cruz, formerly of Lynnwood, gets 17½ years in prison. She was impaired by drugs when she caused the crash that killed Sharon Gamble and Kenneth Weikle.

A person walks out of the Everett Clinic on Thursday, Sept. 7, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
The Everett Clinic changing name to parent company Optum in 2024

The parent company says the name change will not affect quality of care for patients in Snohomish County.

Tirhas Tesfatsion (GoFundMe) 20210727
Lynnwood settles for $1.7 million after 2021 suicide at city jail

Jail staff reportedly committed 16 safety check violations before they found Tirhas Tesfatsion, 47, unresponsive in her cell.

Logo for news use featuring the municipality of Lake Stevens in Snohomish County, Washington. 220118
Separate road rage incident ends with fatal shooting in Lake Stevens

A man, 41, died at the scene in the 15300 block of 84th Street NE. No arrests have been made.

Nursing Administration Supervisor Susan Williams points at a list of current COVID patients at Providence Regional Medical Center on Friday, Sept. 22, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Dozens of Providence patients in medical limbo for months, even years

About 100 people are stuck in Everett hospital beds without an urgent medical reason. New laws aim for a solution.

Lynnwood man arrested, released on $25K bond after road rage shooting

Deputies arrested the suspect, 20, for investigation of first-degree assault on Tuesday.

Mt. Baker visible from the summit of Mt. Dickerman on a late summer day in 2017. (Caleb Hutton / The Herald)
Hornets pester hikers on popular Mountain Loop trails

“You cannot out run the stings,” one hiker wrote in a trip report. The Forest Service has posted alerts at two trailheads.

Most Read