A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data Tuesday, but the FBI said that, as of yet, it sees no link to last week's terrorist attack.

Known as "Nimda" or "readme.exe," the worm spreads by sending infected email messages, copying itself to computers on the same network, and compromising Web servers using Microsoft's Internet Information Server (IIS) software.

"It is extraordinary how much traffic this thing has created in a couple of hours," said Graham Cluley, senior security consultant for antivirus company Sophos. "As far as we can see, it doesn't seem to be using any psychological tricks because it's all automated."

Mailing lists for the security community quickly generated news of the worm, as the infected servers scanned the Internet for vulnerable servers.

An FBI representative said the agency was "assessing" the incident, but so far it found no relationship between the online deluge and last week's terrorist attacks on the World Trade Centre and the Pentagon.

"There has been no indication that this is linked (to Tuesday's) attack," said FBI spokeswoman Debbie Weierman. "That is the question of the day."

At a news conference Tuesday about last week's terrorist attacks, Attorney General John Ashcroft also spoke about the Internet worm. "This could be heavier than the July activity with Code Red," he said.

He noted that there is "no evidence" linking the worm, which he said may have first appeared on Monday, "to the terrorist attacks of last week."

The worm's name, Nimda, sparked speculation about its origin. Nimda, for example, is the backward spelling of "admin," the common shorthand for the system administrator. While the worm has text indicating that it may have originated in China, that is in no way hard evidence, experts said.

Others pointed out that NIMDA is the name of an Israeli defence contractor.

The worm apparently generates an avalanche of Internet traffic because of its multi-pronged attack on both servers and PCs.

The server component of the virus exploits an old and previously patched flaw in IIS called the Unicode Directory Traversal vulnerability.

Once a server is infected, the worm continues to scan for other vulnerable computers. In addition, the program takes control of the part of Microsoft's IIS software that delivers Web pages, allowing the virus to trump a request for any page--even invalid requests--and instead return a page infected with the virus.

In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook email software under the program's "medium" security setting.

"There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations. "It appears that it is doing some kind of exploitation in email."

Nimda also appears to be capable of spreading by other means, including Internet relay chat (IRC), an online chat format, and by FTP for remotely exchanging files.

"My guess is we may also see it spread through Internet relay chat," said Alex Shipp, senior antivirus technologist at email screening firm MessageLabs.

And that may not be the end of it. "We have also found an FTP component in there," Shipp said. "It may be trying to download nasty stuff from some Web site somewhere--we're still not sure. We know it is using FTP, but we don't know how yet."

MessageLabs said it stopped more than a hundred copies of the virus attached to email messages within an hour of the first incident, which arrived from Korea at 12:10 p.m. GMT.

Most of the Nimda copies captured by MessageLabs originated from the United States, leading the company to speculate that was where the virus originated.

While thousands of people likely became aware of the worm when their inboxes were flooded with email, for some the damage was more severe.

Mel Lower, who hosts Web sites for small businesses through Earthlink, said two of his customers' sites were inaccessible for much of Tuesday.

Lower of Davenport, Iowa, said he contacted Earthlink and was told that the worm "crippled" two Unix server farms. Earthlink could not immediately be reached for comment.

When Nimda arrives in an email, it appears as an attachment named readme.exe. This is the same name used by another current virus called W32/Apost-A, so antivirus companies say many people should already be wary of attachments bearing that name.

However, analysis of the worm is still ongoing, experts said.

"First of all, we are talking guesses at this time," said Fred Cohen from the University of New Haven in Connecticut. "Clearly, (it) just showed up this morning."

For some time Tuesday morning, the worm's double whammy had experts believing that two pieces of code were spreading at the same time.

The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University issued a warning Tuesday morning about malicious code scanning for vulnerable Web servers and an e-mail worm called Readme.exe.

"We are recommending to sites that they verify the state of security patches on all IIS servers and email client software," the warning said.

Staff writer Matt Loney contributed from London.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.