The University of Canterbury is among those organisations hit by the Nimda virus in New Zealand, while a US associate of shipping company Mainfreight has been taken offline by the virus.
The university has around 15 servers infected. These servers are running scripts at a tremendous rate, generating the equivalent of an internal denial of service attack.
"At the moment we're identifying the machines but some of them are sending more than 1000 calls per second," says Canterbury's IT manager Hamish Duff.
He says the firewall at Canterbury was so swamped the notification and updates from anti-virus vendor Sophos couldn't get through.
"That's slowed us down quite a bit. It's only now we're getting back online because we didn't want to spread the infection any further."
The systems that are infected have been locked off at their nearest router and Duff hopes that will help control the spread.
No critical systems have been affected, but voice mail was one of those hit.
"They seem to all be older boxes running NT rather than Windows 2000 - there are fewer updates and patches and things coming out for NT these days." The university has most of its IT systems centralised, however a number of departments like Engineering run smaller, older servers with their own IT staff.
"We're not sure where it came from yet."
Duff says the virus also seems to be scanning users' inboxes looking for addresses as well as the users' address books.
Mainfreight IT manager Kevin Drinkwater, who is responsible for the company’s IT systems worldwide, including at New Jersey-based CaroTrans International, is guessing the company was infected by someone downloading the virus from a website.
“Its systems were deeply affected although the virus didn’t hit database or executable files,” Drinkwater says.
CaroTrans’s accounting, web and proxy servers were affected. By yesterday, the accounting system was running again but the other two servers will need rebuilding, Drinkwater says.
He isn’t taking any chances on reinfection, disconnecting the web server from the company LAN.
“This is very significant and lots of websites are down. We’ve pulled the plug on ours.”
Drinkwater says Mainfreight’s New Zealand system hasn’t been infected but he has cut off access to the web to ensure the virus isn’t inadvertently downloaded.
Nimda, admin spelled backwards, uses a number of exploits to both spread itself and to attack systems. It travels via email or HTTP and looks for between 10 and 100 exploits on a variety of Windows platforms to try to find a weakness.
Anti-virus company Symantec's country manager Richard Batchelar believes the impact of the virus should be minimised in New Zealand because of the extent of last month's Code Red attack.
"This exploits the same hole in [Internet Information Server] IIS so if they've patched it for Code Red then it should be okay." Because the Nimda virus spreads itself via email as well as through a website-based download it will attract a lot of end-user attention, but Batchelar says it's really a problem for system administrators rather than consumers to worry about.
Reports of servers being pinged constantly are building up on the newsgroups and mailing lists. The DSL mailing list contains a number of comments on the voracity of the attack.
"I've got about 200 unique IP addresses attacking a number of times on my home server," says one, while another has been tracking the number of attempts since 1.15am today - now over 1300.
"Some multiple hits coming from the same machine," says the posting which asks "is this the new Code Red?"
Xtra, the country's largest ISP, is already filtering for the attachment and hasn't seen a surge in traffic as of yet.
"We always recommend being proactive rather than reactive to these things so we tell people they should install the latest patches and use an anti-virus product," says spokesperson Matt Bostwick.
Related Stories
Major new worm poses serious threat