http://www.newsbytes.com/news/01/170324.html By Brian McWilliams, Newsbytes LYSAKER, NORWAY, 20 Sep 2001, 11:14 AM CST Network Associates called it "Minda." Central Command originally called it "ConceptV5." But blame the ungainly name that stuck "Nimda" - on one of the first virus researchers to capture a copy of the malicious code. Righard Zwienenberg, a senior research engineer with Norway's Norman Data Defense, said the firm received several infected e-mails, including nine in a one-minute period, early Tuesday. Zwienenberg, co-founder of an invitation-only group named the AntiVirus Emergency Discussion Network (AVED), said he immediately prepared to ship off a sample of the new worm via e-mail to AVED's approximately 50 members for their own dissection. It was then that Nimda got its nearly unpronounceable name. "Quickly looking into the code and the text of the probes, I noticed that the virus attempts to transfer a file called Admin.dll. The first thing that came to mind was to reverse this to Nimda and then send the message, hence the birth of W32/Nimda.A@mm," said Zwienenberg, a resident of the Netherlands. In choosing Nimda, Zwienenberg intentionally ignored the name given to the worm by its author. Buried in the worm's code is a string of text that reads: "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China." Nick FitzGerald, an independent anti-virus consultant and AVED member, said virus researchers often take an obvious feature of the virus and reverse the letters to form a name. "It's a common naming ploy in AV circles as we try to avoid using the name the malware writer desires," said FitzGerald. Another reason the Concept moniker failed to stick, FitzGerald said, was that the name had already been assigned in the mid-nineties to the first Word macro virus released into the wild. According to Roger Thompson, director of malicious code research for TruSecure Corporation, Nimda's author may have believed his creation was a "proof of concept." "The author probably thinks it is the first to combine viral and wormy techniques. It is not. He probably thinks it is the first to infect HTML files. It is not. Possibly he thinks it is the first to combine multiple techniques. But it is common for viruses and worms to combine multiple techniques," said Thompson, who conceded that Nimda nonetheless was well designed and was successful at spreading. As for the reference to China in the worm's copyright line, a spokesperson for the FBI's National Infrastructure Protection Center said the agency is still investigating leads on the origin of the worm and had no further comment. Eric Chien, a researcher with Symantec's anti-virus research center (SARC), said it is premature to conclude Nimda's author was Chinese. Indeed, the phrase "R.P. China" is also used by many Spanish-speakers to refer to the People's Republic of China. And "R.P" is a common way to abbreviate the Republic of Philippines, he noted. "One could speculate those two letters stand for any type of name from Roger to Philadelphia. Or it could simply be a red herring," said Chien. Although the once-virulent spread of Nimda has been contained, the worm has managed to infect tens of thousands of servers and personal computers, according to virus experts. Thompson of TruSecure said researchers are continuing to analyze the worm's functions. "I'm just hoping there is no nasty payload hidden deep inside that has yet to be discovered," he said. According to Thompson, he "ominously" interprets the "V.5" version number in the worm's copyright line to indicate the code is a beta or test version. Computer Economics said Wednesday night that the Nimda virus has caused more than $500 million in damage to computer systems around the world. Norman's description of Nimda is at http://www.norman.no/virus_info/w32_nimda.shtml . TruSecure's write-up on the worm is here: http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024c_cid18 0.shtml . SARC is online at http://www.sarc.com . - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 03:24:55 PDT