Nimda mirrors the Code Red worm and its variants in that it attempts to identify vulnerable Microsoft IIS servers, deface them and infect additional vulnerable servers.
However, it is vastly different from Code Red in that its propagation includes a powerful email distribution component, according to informtation security company Vectra Corporation.
Nimda appears as a spoofed email and sends copies of itself to individuals in MAPI (Messaging Application Programming Interface) address books once it has infected a user's computer. Nimda then replaces .dll, .eml, .nws files on all shared drives. It also appends itself to all .htm, .html, and .asp files on the infected system.
-This is the real wake up call for anyone who did not apply the Microsoft IIS patches," technical architect at Vectra Corporation, Damon Wynne, told ZDNet Australia. -We have been absolutely inundated with calls from people all over the place with crashed servers. The virus appears to create hundreds of infected processes, which end up killing the server. It has got so bad that we are bringing in the hard drives from servers to clean internally here in the office."
Wynne told ZDNet that the South Australia government has closed down its Internet mail server gateway as a precautionary measure: -That's a lot of mail that isn't being collected and sent. Internal government mail is fine," Wynne said.
The South Australian Government had not returned calls to ZDNet Australia at time of press.
Ian Bigwood of Trend Micro said the worm was proving to be worse than first expected. -It's being trapped at the email gateway, however Web servers and browsing seems to be the strongest point of infections," he said.
Bigwood said he knew of a few local operations that had closed down Web browsing on the back of the worm's behaviour. -The Web site's (www.trendmicro.com.au/) copping a hammering," Bigwood said, of people flooding the Trend Micro site for information on the worm.
However, anti-virus vendor Symantec said it had received just eight reports of infections in Australia, mainly in NSW, and about eighteen in all across the Asia Pacific region. The infection rate has gone up 10 percent since this morning, according to Symantec's David Banes.
-It doesn't seem to be going off completely like the historical ones...but it's definitely out there," Banes said.
ZDNet Australia was unable to substantiate claims the National Australia Bank has been hit hard by the Nimda outbreak.
I don't feel sorry for Microsoft IIS administrators.
There is good reason why admins are not allowed to inspect MS's code.
I for one prefer to rely on myself rather than MS to secure my sites.
Open source is safer than closed source, people who use closed source code should not complain, they only get what they deserve.