Aggressive new worm threatens Web users

WASHINGTON (CNN) -- The FBI is investigating a new computer worm that surfaced Tuesday and is considered so aggressive that computer security experts urged people not to surf the Web until they have updated their antivirus programs.

Internet users could infect their computers simply by visiting an infected Web page, experts warned. What's unusual about this worm, dubbed "Nimda," is that it can be activated in many different ways. Nimda can be triggered through some well-known actions, such as clicking on an e-mail attachment or running an executable program. The ability to spread through a compromised Web page is unusual.

But some aspects of this worm should serve as red flags.

"An e-mail with gibberish in the subject line, or an attachment on a blank e-mail just about cries out, 'Hey, open me, I'm a virus," Steve Demogines, director of tech support for Panda Software, told CNN on Tuesday.

The FBI's National Infrastructure Protection Center is investigating the case with the cooperation of industry organizations, officials told CNN. One federal law enforcement official said there was no indication the worm may be related to terrorism, but that it was too early to know the origin of the Internet attack. The worm was first reported about 9 a.m. EDT from a site in Norway, Vincent Gullotto, head virus fighter at McAffee.com, told The Associated Press.

"Nimda" is similar to "Code Red," but security experts warned it could do more damage because it is more likely to affect more computers. "Code Red " attacked only servers and through only one security hole.

By comparison, the new worm can affect any desktop computer or server running Microsoft Windows software, said Peter Tippett, of the computer security firm TruSecure. It exploits a flaw in the e-mail program Outlook Express and it tries to wriggle in through 16 known vulnerabilities in Microsoft's Internet Information Services software (IIS) 4 or 5, including the security hole "Code Red II" left in some computers.

"Nimda" may masquerade as a sound or .wav file. When a user opens the underlying file, called "readme.exe," the program opens the computer's hard drive, allowing the computer to be accessed by third parties via the Internet, explained Dan Ingevaldson, of Internet Security Systems. The worm can also e-mail itself to everyone in the user's computer-based address book. Ingevaldson said experts are still trying to determine whether the worm directly harms hard drives.

Demogines of Panda Software said the problems seen as of Tuesday relates to productivity rather than any specific destruction of files.

"Customers' servers are bogged down, their executables are not working, they can't get to their files, which means they basically can't do their work," he told CNN.

Last week, after the terrorist attacks on the World Trade Center and Pentagon, the FBI warned there could be an increase in hacking incidents. The agency urged computer users to update antivirus software and security patches and to be cautious online.

The Associated Press & Reuters contributed to this report.