'Nimda' - Norwegian For 'Nasty'

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/170324.html

By Brian McWilliams, Newsbytes
LYSAKER, NORWAY,
20 Sep 2001, 11:14 AM CST
  
Network Associates called it "Minda." Central Command originally
called it "ConceptV5." But blame the ungainly name that stuck "Nimda"
- on one of the first virus researchers to capture a copy of the
malicious code.

Righard Zwienenberg, a senior research engineer with Norway's Norman
Data Defense, said the firm received several infected e-mails,
including nine in a one-minute period, early Tuesday.

Zwienenberg, co-founder of an invitation-only group named the
AntiVirus Emergency Discussion Network (AVED), said he immediately
prepared to ship off a sample of the new worm via e-mail to AVED's
approximately 50 members for their own dissection.

It was then that Nimda got its nearly unpronounceable name.

"Quickly looking into the code and the text of the probes, I noticed
that the virus attempts to transfer a file called Admin.dll. The first
thing that came to mind was to reverse this to Nimda and then send the
message, hence the birth of W32/Nimda.A@mm," said Zwienenberg, a
resident of the Netherlands.

In choosing Nimda, Zwienenberg intentionally ignored the name given to
the worm by its author. Buried in the worm's code is a string of text
that reads: "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China."

Nick FitzGerald, an independent anti-virus consultant and AVED member,
said virus researchers often take an obvious feature of the virus and
reverse the letters to form a name.

"It's a common naming ploy in AV circles as we try to avoid using the
name the malware writer desires," said FitzGerald.

Another reason the Concept moniker failed to stick, FitzGerald said,
was that the name had already been assigned in the mid-nineties to the
first Word macro virus released into the wild.

According to Roger Thompson, director of malicious code research for
TruSecure Corporation, Nimda's author may have believed his creation
was a "proof of concept."

"The author probably thinks it is the first to combine viral and wormy
techniques. It is not. He probably thinks it is the first to infect
HTML files. It is not. Possibly he thinks it is the first to combine
multiple techniques. But it is common for viruses and worms to combine
multiple techniques," said Thompson, who conceded that Nimda
nonetheless was well designed and was successful at spreading.

As for the reference to China in the worm's copyright line, a
spokesperson for the FBI's National Infrastructure Protection Center
said the agency is still investigating leads on the origin of the worm
and had no further comment.

Eric Chien, a researcher with Symantec's anti-virus research center
(SARC), said it is premature to conclude Nimda's author was Chinese.
Indeed, the phrase "R.P. China" is also used by many Spanish-speakers
to refer to the People's Republic of China. And "R.P" is a common way
to abbreviate the Republic of Philippines, he noted.

"One could speculate those two letters stand for any type of name from
Roger to Philadelphia. Or it could simply be a red herring," said
Chien.

Although the once-virulent spread of Nimda has been contained, the
worm has managed to infect tens of thousands of servers and personal
computers, according to virus experts.

Thompson of TruSecure said researchers are continuing to analyze the
worm's functions.

"I'm just hoping there is no nasty payload hidden deep inside that has
yet to be discovered," he said.

According to Thompson, he "ominously" interprets the "V.5" version
number in the worm's copyright line to indicate the code is a beta or
test version.

Computer Economics said Wednesday night that the Nimda virus has
caused more than $500 million in damage to computer systems around the
world.

Norman's description of Nimda is at
http://www.norman.no/virus_info/w32_nimda.shtml .

TruSecure's write-up on the worm is here:
http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024c_cid18
0.shtml .

SARC is online at http://www.sarc.com .



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.