Users and virus alert centers have warned the on-line community about a new worm program, Nimda, that is being spread as an e-mail attachment.
The Symantec Security Response Web site was alerted to Nimda's existence on Monday, September 18.
[email protected] arrives in a message that contains no subject line and is contained within an audio attachment file named 'README.EXE.' The file is not visible to the recipient as an attachment when the message arrives due to the fact that the file is classified as "hidden" and one of the worm's traits is that it changes system settings to not display hidden files.
The worm can be executed just by reading or previewing the README.EXE file. Although the worm replicates rapidly, Symantec reports that it will replicate itself in place of some existing files and slow the affected computer's performance. The damage it causes is classified as a "medium" threat.
The Nimda worm targets Windows NT and Windows 2000 systems and can infiltrate network servers, by-passing security measures to make the C: drive on the machine a shared network resource. Symantec also warned that Microsoft IIS Web servers can be infected. Users visiting the compromised web servers will be prompted to download an .eml (Outlook Express) e-mail file, which contains the worm as an attachment. Users can disable 'File Download' in their Internet security zones to prevent such compromise.
In addition, the worm can create open network shares on a computer it infects, thus making the computer accessible, with administrative rights, to hackers.
The worm was first detected earlier today in Hong Kong, where it spread rapidly. "This is probably the fastest-spreading virus in Hong Kong ever," said Roy Ko, principal consultant at Hong Kong Computer Emergency Response Team. The worm was reportedly reaching out much faster than the Code Red worm which threatened computers earlier this summer.
Nimda is "admin" spelled backwards.