The Nimda worm first wrought havoc across the Internet in mid-September, spreading itself as an e-mail attachment called "Readme.exe", through shared hard drives on networks and by infecting users who browsed Web pages hosted on infected servers.
The original worm spread worldwide in about 30 minutes as Nimda files were automatically downloaded to users' computers from infected Web pages. Some companies forbade users from going online until patches and upgrades could be put in place.
Nimda had previously spawned three variants: Nimda.b, Nimda.c and Nimda.d, though none were particularly dangerous or different from the original, according to antivirus company Kasperksy Labs.
The newest version, however, Nimda.e, is a recompiled version of the original worm, according to both Kaspersky and to the technical director of malicious code at TruSecure, Roger Thompson. Thompson operates a network of worm catcher systems worldwide. The network discovered the first Nimda worm, though the new worm has so far hit only one worm catcher.
That the new variant is a recompiled version suggests the original author has made changes to the worm and re-released it, Thompson said. Thompson has yet to fully analyse the new variant, but he did note that some changes had been made. The "Readme.exe" file has now been changed to "Sample.exe" and the worm now downloads system files called "cool.dll" and "httpodbc.dll" where it previously only fetched "admin.dll," he said.
Some sub-routines in the code have also been modified, although what effect that will have is not yet clear, Thompson said.
Nimda was originally fought using a combination of e-mail and Web filters, antivirus updates and updates to Microsoft's Internet Explorer Web browser, which is the browser exploited to automatically download the worm. Because the names of the files have been changed in this latest variant, administrators will have to change the file names they are filtering for, but it would be best if they blocked all .exe files, Thompson said. He also cautioned users to upgrade their browsers.
While the spread of the current version is nowhere near that of the original Nimda, the worm is likely to spread quickly through computers that were not sufficiently patched after the last outbreak, Thompson said.
"I don't think too many people patched their browsers," he said.
The users who did upgrade their browsers ought to be safe, he said, but added, "If they defeated Nimda last time by updating their antivirus (software), then they could still be vulnerable."
Users are advised to upgrade as Thompson expects more variants of the worm to appear in the future.