FBI investigating new Internet worm, thousands of computers targeted

By D. Ian Hopper

Associated Press

WASHINGTON – Attorney General John Ashcroft Tuesday warned computer users about a new Internet threat that could slow the global network worse than the “Code Red” worm that struck earlier this summer.

Ashcroft said the FBI and private firms are assessing the effects of the program, known as “W32-Nimda,” which has affected possibly tens of thousands of computers. As the program spreads, its activity can slow or shut down Internet service for regular users.

“The scanning activity thus far indicates that this could be heavier than the July activity of Code Red,” Ashcroft said.

But Ashcroft dismissed the idea that Nimda is related to the attacks in New York and Washington.

“There is no evidence at this time which links this infection with the terrorist attack of last week,” he said.

Code Red mobilized law enforcement agencies and private companies in an unprecedented effort, as the Internet worm infected hundreds of thousands of computers and threatened a meltdown of the Internet. They implored computer users to install protective software.

All major antivirus companies now offer software to protect against Nimda.

On security e-mail lists, system administrators nationwide reported unprecedented activity related to the worm, which tries to break into Microsoft’s Internet Information Services software. That software was the same targeted by Code Red, and is typically found on computers running Microsoft Windows NT or 2000.

Most home users, including those running Windows 95, 98 or ME, are not affected.

Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft’s IIS, including the security hole left in some computers by the “Code Red II” worm, which followed Code Red in August.

Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft’s Web site.

“It’s causing enormous pain because it is at least an order of magnitude more aggressive than Code Red,” said Alan Paller, director of research at the nonprofit SANS Institute. “It’s a pretty vigorous attacker.”

In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called “README.EXE.” Antivirus experts warn that users shouldn’t open unexpected attachments.

Efforts to isolate and track the worm were hampered by the swiftness of the attack. Vincent Gullotto, head antivirus researcher for McAfee.com, said the first report came at about 9 a.m. EDT, from a site in Norway.

“It’s taken down entire sites,” Gullotto said. “I can’t even get to the Internet right now.”

On Monday, the FBI’s National Infrastructure Protection Center warned that a hacker group called the “Dispatchers” said they would attack “communications and finance infrastructures” on or about Tuesday.

“There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,” officials said in a warning on the NIPC Web site.

However, the Dispatchers group has recently defaced Middle Eastern Web sites in an apparent retaliation for last week’s attacks – a job that is far easier than creating a powerful Internet worm.

Antivirus firm F-Secure discovered that the message “Copyright 2001 R.P.China” is present in the worm, indicating a possible – but far from definite – link to China.

Last week, the FBI warned that there could be an increase in hacking incidents after the terrorist attacks. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online.

On the Net:

McAfee.com: http://www.mcafee.com

SANS: http://www.sans.org

National Infrastructure Protection Center: http://www.nipc.gov

Copyright ©2001 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.