FBI investigating new Internet worm, thousands of computers targeted

By D. Ian Hopper

Associated Press

WASHINGTON – Attorney General John Ashcroft Tuesday warned computer users about a new Internet threat that could slow the global network worse than the “Code Red” worm that struck earlier this summer.

Ashcroft said the FBI and private firms are assessing the effects of the program, known as “W32-Nimda,” which has affected possibly tens of thousands of computers. As the program spreads, its activity can slow or shut down Internet service for regular users.

“The scanning activity thus far indicates that this could be heavier than the July activity of Code Red,” Ashcroft said.

But Ashcroft dismissed the idea that Nimda is related to the attacks in New York and Washington.

“There is no evidence at this time which links this infection with the terrorist attack of last week,” he said.

Code Red mobilized law enforcement agencies and private companies in an unprecedented effort, as the Internet worm infected hundreds of thousands of computers and threatened a meltdown of the Internet. They implored computer users to install protective software.

All major antivirus companies now offer software to protect against Nimda.

On security e-mail lists, system administrators nationwide reported unprecedented activity related to the worm, which tries to break into Microsoft’s Internet Information Services software. That software was the same targeted by Code Red, and is typically found on computers running Microsoft Windows NT or 2000.

Most home users, including those running Windows 95, 98 or ME, are not affected.

Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft’s IIS, including the security hole left in some computers by the “Code Red II” worm, which followed Code Red in August.

Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft’s Web site.

“It’s causing enormous pain because it is at least an order of magnitude more aggressive than Code Red,” said Alan Paller, director of research at the nonprofit SANS Institute. “It’s a pretty vigorous attacker.”

In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called “README.EXE.” Antivirus experts warn that users shouldn’t open unexpected attachments.

Efforts to isolate and track the worm were hampered by the swiftness of the attack. Vincent Gullotto, head antivirus researcher for McAfee.com, said the first report came at about 9 a.m. EDT, from a site in Norway.

“It’s taken down entire sites,” Gullotto said. “I can’t even get to the Internet right now.”

On Monday, the FBI’s National Infrastructure Protection Center warned that a hacker group called the “Dispatchers” said they would attack “communications and finance infrastructures” on or about Tuesday.

“There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,” officials said in a warning on the NIPC Web site.

However, the Dispatchers group has recently defaced Middle Eastern Web sites in an apparent retaliation for last week’s attacks – a job that is far easier than creating a powerful Internet worm.

Antivirus firm F-Secure discovered that the message “Copyright 2001 R.P.China” is present in the worm, indicating a possible – but far from definite – link to China.

Last week, the FBI warned that there could be an increase in hacking incidents after the terrorist attacks. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online.

On the Net:

McAfee.com: http://www.mcafee.com

SANS: http://www.sans.org

National Infrastructure Protection Center: http://www.nipc.gov

Copyright ©2001 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Fire Marshall Derek Landis with his bernedoodle therapy dog Amani, 1, at the Mukilteo Fire Department on Thursday, Sept. 5, 2024 in Mukilteo, Washington. (Olivia Vanni / The Herald)
Mukilteo fire therapy dog is one step to ‘making things better’

“Firefighters have to deal with a lot of people’s worst days,” Derek Landis said. That’s where Amani comes in.

Community Transit’s 209 bus departs from the Lake Stevens Transit Center at 4th St NE and Highway 9 on Thursday, April 20, 2023, in Lake Stevens, Washington. (Ryan Berry / The Herald)
Everything you need to know about Community Transit bus changes

On Sept. 14, over 20 routes are being eliminated as Lynnwood light rail and new routes replace them.

Authorities respond to the crash that killed Glenn Starks off Highway 99 on Dec. 3, 2022. (Washington State Patrol)
Everett driver gets 10 years for alleged murder by car

Tod Archibald maintained his innocence by entering an Alford plea in the 2022 death of Glenn Starks, 50.

Flu and COVID vaccine options available at QFC on Thursday, Sept. 5, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Snohomish County gets new COVID, flu and RSV vaccines

Last season, COVID caused over 1,000 hospitalizations in the county and more than 5,000 deaths statewide.

Snohomish County Auditor Garth Fell talks about the new Elections Center during a tour on July 9 in Everett. (Olivia Vanni / The Herald)
Snohomish County launches weekly ‘Elections Explained’ talks

For the next six weeks, locals can attend information sessions designed to provide insights into the voting process.

Victor Manuel Arzate poses with his son and retired officer Raymond Aparicio, who mentored Arzate growing up. (Mary Murphy for Cascade PBS)
DACA recipients now eligible to be cops in Washington

The new law sponsored by state Sen. John Lovick, D-Mill Creek, aims to help create forces that better reflect their communities.

Lynnwood
Woman injured in drive-by shooting near Lynnwood

A woman, 52, was walking in the 14800 block of Highway 99 when someone in a car shot her, according to police.

The roundabout at the intersection at 84th Street NE and 163rd Avenue NE on Thursday, Sept. 13, 2024. (Jordan Hansen / The Herald)
New roundabout opens near Granite Falls, more improvements to come

Seeing up to 14,000 vehicles per day — many of them trucks hauling loads — the county looks toward safety.

Lynnwood
South County Fire to hold emergency preparedness event

The expo on Sept. 21 will be a chance to learn lifesaving skills, including how to respond to fires and earthquakes.

Everett
Police have little information about fatal Everett shooting

On Sept. 1, police were called to a south Everett apartment complex. They found Christopher Guerrero, 51, dead at the scene.

Carrie R. Kennedy, left, and Clyde Shavers
Whidbey Island candidate: US Rep deserves ‘firing squad’

Carrie Kennedy, a Republican running in the purple 10th Legislative District, has a long history of problematic posts.

Boeing Machinists take to the streets outside Everett plant

The strike comes after 33,000 members resoundingly rejected the latest contract reached by Boeing and union leadership.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.