[ISN] 'Nimda' - Norwegian For 'Nasty'

From: InfoSec News (isnat_private)
Date: Fri Sep 21 2001 - 00:39:53 PDT

  • Next message: InfoSec News: "[ISN] Cyber security alarm in Canberra"

    By Brian McWilliams, Newsbytes
    20 Sep 2001, 11:14 AM CST
    Network Associates called it "Minda." Central Command originally
    called it "ConceptV5." But blame the ungainly name that stuck "Nimda"
    - on one of the first virus researchers to capture a copy of the
    malicious code.
    Righard Zwienenberg, a senior research engineer with Norway's Norman
    Data Defense, said the firm received several infected e-mails,
    including nine in a one-minute period, early Tuesday.
    Zwienenberg, co-founder of an invitation-only group named the
    AntiVirus Emergency Discussion Network (AVED), said he immediately
    prepared to ship off a sample of the new worm via e-mail to AVED's
    approximately 50 members for their own dissection.
    It was then that Nimda got its nearly unpronounceable name.
    "Quickly looking into the code and the text of the probes, I noticed
    that the virus attempts to transfer a file called Admin.dll. The first
    thing that came to mind was to reverse this to Nimda and then send the
    message, hence the birth of W32/Nimda.A@mm," said Zwienenberg, a
    resident of the Netherlands.
    In choosing Nimda, Zwienenberg intentionally ignored the name given to
    the worm by its author. Buried in the worm's code is a string of text
    that reads: "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China."
    Nick FitzGerald, an independent anti-virus consultant and AVED member,
    said virus researchers often take an obvious feature of the virus and
    reverse the letters to form a name.
    "It's a common naming ploy in AV circles as we try to avoid using the
    name the malware writer desires," said FitzGerald.
    Another reason the Concept moniker failed to stick, FitzGerald said,
    was that the name had already been assigned in the mid-nineties to the
    first Word macro virus released into the wild.
    According to Roger Thompson, director of malicious code research for
    TruSecure Corporation, Nimda's author may have believed his creation
    was a "proof of concept."
    "The author probably thinks it is the first to combine viral and wormy
    techniques. It is not. He probably thinks it is the first to infect
    HTML files. It is not. Possibly he thinks it is the first to combine
    multiple techniques. But it is common for viruses and worms to combine
    multiple techniques," said Thompson, who conceded that Nimda
    nonetheless was well designed and was successful at spreading.
    As for the reference to China in the worm's copyright line, a
    spokesperson for the FBI's National Infrastructure Protection Center
    said the agency is still investigating leads on the origin of the worm
    and had no further comment.
    Eric Chien, a researcher with Symantec's anti-virus research center
    (SARC), said it is premature to conclude Nimda's author was Chinese.
    Indeed, the phrase "R.P. China" is also used by many Spanish-speakers
    to refer to the People's Republic of China. And "R.P" is a common way
    to abbreviate the Republic of Philippines, he noted.
    "One could speculate those two letters stand for any type of name from
    Roger to Philadelphia. Or it could simply be a red herring," said
    Although the once-virulent spread of Nimda has been contained, the
    worm has managed to infect tens of thousands of servers and personal
    computers, according to virus experts.
    Thompson of TruSecure said researchers are continuing to analyze the
    worm's functions.
    "I'm just hoping there is no nasty payload hidden deep inside that has
    yet to be discovered," he said.
    According to Thompson, he "ominously" interprets the "V.5" version
    number in the worm's copyright line to indicate the code is a beta or
    test version.
    Computer Economics said Wednesday night that the Nimda virus has
    caused more than $500 million in damage to computer systems around the
    Norman's description of Nimda is at
    http://www.norman.no/virus_info/w32_nimda.shtml .
    TruSecure's write-up on the worm is here:
    0.shtml .
    SARC is online at http://www.sarc.com .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 03:24:55 PDT