BC-Internet Attack, 1st Ld-Writethru, a0628,540
FBI investigating new Internet worm, thousands of
computers targeted
Eds: SUBS 4th graf The FBY, to fix typo: "FBI" sted
"FBY" By D. IAN HOPPER= AP Technology Writer=
WASHINGTON (AP) _ Anti-virus researchers were
fighting a new Internet attacker Tuesday similar to the
"Code Red" worm that infected hundreds of thousands of
computers several months ago.
The worm, known as "W32.Nimda," had affected
"thousands, possibly tens of thousands" of targets by
midday Tuesday, according to Vincent Gullotto, head virus
fighter at McAfee.com, a software company.
Even when the attack isn't successful, the worm's
scanning process can slow down the Internet for many
users and can have the effect of knocking Web sites or
entire company networks offline.
The FBI is investigating the worm, said spokeswoman
Debbie Weierman. The agency has not indicated whether
the worm is connected to last week's terrorism attacks.
On security e-mail lists, system administrators nationwide
reported unprecedented activity related to the worm,
which tries to break into Microsoft's Internet Information
Services software. That software was the same targeted
by Code Red, and is typically found on computers running
Microsoft Windows NT or 2000.
Most home users, including those running Windows 95,
98 or ME, are not affected.
Ken Van Wyk, chief technology officer at ParaProtect,
said the worm tries to wriggle in through 16 known
vulnerabilities in Microsoft's IIS, including the security
hole left in some computers by the "Code Red II" worm,
which followed Code Red in August.
Code Red, by comparison, attacked through only one
hole, which could be patched by downloading a program
from Microsoft's Web site.
"It's causing enormous pain because it is at least an
order of magnitude more aggressive than Code Red," said
Alan Paller, director of research at the nonprofit Sans
Institute. "It's a pretty vigorous attacker."
In addition to direct Internet attacks, the worm can also
travel via e-mail. The e-mail message is typically blank,
and contains an attachment called "README.EXE."
Antivirus experts warn that users shouldn't open
unexpected attachments.
Efforts to isolate and track the worm were hampered by
the swiftness of the attack. Gullotto said the first report
came at about 9 a.m. EDT, from a site in Norway.
"It's taken down entire sites," Gullotto said. "I can't
even get to the Internet right now."
On Monday, the FBI's National Infrastructure Protection
Center warned that a hacker group called the
"Dispatchers" said they would attack "communications
and finance infrastructures" on or about Tuesday.
"There is the opportunity for significant collateral
damage to any computer network and telecommunications
infrastructure that does not have current countermeasures
in place," officials said in a warning on the NIPC Web site.
Last week, the FBI warned that there could be an
increase in hacking incidents after the twin attacks in New
York and Washington. They advised computer users to
update their antivirus software, get all possible security
updates for their other software, and be extra careful
online.