FBI investigating new Internet worm, thousands of computers targeted

By D. Ian Hopper

Associated Press

WASHINGTON – Attorney General John Ashcroft Tuesday warned computer users about a new Internet threat that could slow the global network worse than the “Code Red” worm that struck earlier this summer.

Ashcroft said the FBI and private firms are assessing the effects of the program, known as “W32-Nimda,” which has affected possibly tens of thousands of computers. As the program spreads, its activity can slow or shut down Internet service for regular users.

“The scanning activity thus far indicates that this could be heavier than the July activity of Code Red,” Ashcroft said.

But Ashcroft dismissed the idea that Nimda is related to the attacks in New York and Washington.

“There is no evidence at this time which links this infection with the terrorist attack of last week,” he said.

Code Red mobilized law enforcement agencies and private companies in an unprecedented effort, as the Internet worm infected hundreds of thousands of computers and threatened a meltdown of the Internet. They implored computer users to install protective software.

All major antivirus companies now offer software to protect against Nimda.

On security e-mail lists, system administrators nationwide reported unprecedented activity related to the worm, which tries to break into Microsoft’s Internet Information Services software. That software was the same targeted by Code Red, and is typically found on computers running Microsoft Windows NT or 2000.

Most home users, including those running Windows 95, 98 or ME, are not affected.

Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft’s IIS, including the security hole left in some computers by the “Code Red II” worm, which followed Code Red in August.

Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft’s Web site.

“It’s causing enormous pain because it is at least an order of magnitude more aggressive than Code Red,” said Alan Paller, director of research at the nonprofit SANS Institute. “It’s a pretty vigorous attacker.”

In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called “README.EXE.” Antivirus experts warn that users shouldn’t open unexpected attachments.

Efforts to isolate and track the worm were hampered by the swiftness of the attack. Vincent Gullotto, head antivirus researcher for McAfee.com, said the first report came at about 9 a.m. EDT, from a site in Norway.

“It’s taken down entire sites,” Gullotto said. “I can’t even get to the Internet right now.”

On Monday, the FBI’s National Infrastructure Protection Center warned that a hacker group called the “Dispatchers” said they would attack “communications and finance infrastructures” on or about Tuesday.

“There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,” officials said in a warning on the NIPC Web site.

However, the Dispatchers group has recently defaced Middle Eastern Web sites in an apparent retaliation for last week’s attacks – a job that is far easier than creating a powerful Internet worm.

Antivirus firm F-Secure discovered that the message “Copyright 2001 R.P.China” is present in the worm, indicating a possible – but far from definite – link to China.

Last week, the FBI warned that there could be an increase in hacking incidents after the terrorist attacks. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online.

On the Net:

McAfee.com: http://www.mcafee.com

SANS: http://www.sans.org

National Infrastructure Protection Center: http://www.nipc.gov

Copyright ©2001 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Irene Pfister, left, holds a sign reading “Justice for Jonathan” next to another protester with a sign that says “Major Crimes Needs to Investigate,” during a call to action Saturday, April 12, 2025, in Arlington. (Aspen Anderson / The Herald)
Arlington community rallies, a family waits for news on missing man

Family and neighbors say more can be done in the search for Jonathan Hoang. The sheriff’s office says all leads are being pursued.

Jury awards $3.25M in dog bite verdict against Mountlake Terrace

Mountlake Terrace dog was euthanized after 2022 incident involving fellow officer.

Northshore School District Administrative building. (Northshore School District)
Lawsuit against Northshore School District reaches $500,000 settlement

A family alleged a teacher repeatedly restrained and isolated their child and barred them from observing the classroom.

Everett City Council on Wednesday, March 19 in Everett, Washington. (Will Geschke / The Herald)
Everett council to vote on budget amendment

The amendment sets aside dollars for new employees in some areas, makes spending cuts in others and allocates money for work on the city’s stadium project.

Bryson Fico, left, unloaded box of books from his car with the help of Custody Officer Jason Morton as a donation to the Marysville Jail on Saturday, April 5, 2025 in Marysville, Washington. (Olivia Vanni / The Herald)
Books behind bars: A personal mission for change

Bryson Fico’s project provides inmates with tools for escape, learning and second chances.

Everett
Everett man, linked to Dec. 31 pipe bomb, appears in federal court

Police say Steven Goldstine, 54, targeted neighbors with racial slurs and detonated a pipe bomb in their car.

Everett City Council on Wednesday, March 19 in Everett, Washington. (Will Geschke / The Herald)
Everett council approves budget amendment for staffing, stadium funding

The amendment budgets for some new employees and costs for the city’s multipurpose stadium project.

A SoundTransit Link train pulls into the Mountlake Terrace station as U.S. Representative Rick Larsen talks about the T&I Committee’s work on the surface reauthorization bill on Wednesday, April 16, 2025 in Mountlake Terrace, Washington. (Olivia Vanni / The Herald)
Larsen talks federal funding for Snohomish County transit projects

U.S. Rep. Rick Larsen (D-Everett) spoke with Snohomish County leaders to hear their priorities for an upcoming transit bill.

A damaged vehicle is seen in the aftermath of a June 2024 crash in Thurston County, in which the driver of another vehicle was suspected of speeding and driving under the influence. (Photo courtesy of Thurston County Sheriff Office)
Washington Senate passes bill to require speed limiting devices for habitual speeders

The state Senate passed a bill Tuesday attempting to stop habitual speeders… Continue reading

A student walks down a hallway at Evergreen Middle School past a sign displaying different values the students should embody while occupying the space on a 2024 school day in Everett. (Olivia Vanni / The Herald)
Washington takes ‘historic’ step toward full funding for special education

The House passed a Senate bill that ditches a cap on the flow of state dollars to school districts.

Adopt A Stream invites volunteers to plant trees along Quilceda Creek

The Tulalip Tribes and the Adopt A Stream Foundation will… Continue reading

Snohomish County Council member offers new proposal for habitat ordinance

Jared Mead wrote an amendment as an attempt to balance environmental concerns and housing needs.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.