New Worm Hits 'Tens of Thousands' of Internet Targets

September 18, 2001 ( A new Internet worm, even more aggressive than the 'Code Red'worm that infected hundreds of thousands of computers several months ago, attacked 'thousands, possibly tens of thousands'of targets by midday Tuesday.

That’s the report about “W32.Nimda,’ according to Vincent Gullotto, head virus fighter at, a software company, who said the newcomer was first spotted at 9 a.m. Tuesday at a site in Norway.

The new worm tries to break into Microsoft’s Internet Information Services software, the same vulnerability used by Code Red.   That is typically found on computers running Microsoft Windows NT or Windows 2000 operating systems. Most home users, including those running Windows 95, 98 or ME, are not affected, officials said.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

The online attacker can also travel via a blank e-mail message containing an attachment called “README.EXE.’ Antivirus experts warn that users shouldn’t open unexpected attachments.

New Virus More Persistent

‘W32.Nimda’is more persistent than its predecessors. Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft’s IIS, including the security hole left in some computers by the “Code Red II’ worm, which followed Code Red in August.

Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft’s Web site

“It’s causing enormous pain because it is at least an order of magnitude more aggressive than Code Red,’ said Alan Paller, director of research at the nonprofit Sans Institute. “It’s a pretty vigorous attacker.’

“W32.Nimda’ also affects lots of other online users who aren’t in the direct line of fire. Even when the attack on the intended target isn’t successful, the worm’s scanning process can slow down the Internet for many users and can have the effect of knocking Web sites or entire company networks offline.

The FBI is investigating the worm, said spokeswoman Debbie Weierman. The agency has not indicated whether the worm is connected to last week’s terrorism attacks.

FBI Warnings

On Monday, the FBI’s National Infrastructure Protection Center warned that a hacker group called the “Dispatchers’ said it would attack “communications and finance infrastructures’ on or about Tuesday.

“There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,’ officials said in a warning on the NIPC Web site.

Last week, the FBI warned that there could be an increase in hacking incidents after the twin attacks in New York and Washington. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online.

– Fred Schneyer