Ask the Expert

Ports used by Nimda

Do we know what IP Ports Nimda uses? Can we filter SMTP traffic to keep out the unwanted traffic?

    Requires Free Membership to View

Nimda does its scanning using regular HTTP (TCP port 80) (For more information on ports, go to: Explanation of ports). Thus, if your machines are not public Web servers, you could/should filter that traffic. For machines that are public Web servers, you obviously cannot do that.

As for SMTP, the following information comes from the CERT advisory found at http://www.cert.org/advisories/CA-2001-26.html:

"This worm propagates through e-mail arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html," but it contains no text, so the e-mail appears to have no content. The second section is defined as MIME type "audio/x-wav," but it contains a base64-encoded attachment named "readme.exe," which is a binary executable.

The e-mail message delivering the Nimda worm appears to also have the following characteristics:

  • The text in the subject line of the mail message appears to be variable.
  • There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one compares different attachments from different e-mail messages. However, the file length of the attachment appears to consistently be 57344 bytes."

    That may give you enough information to filter the e-mail.

    Nimda also uses port 69/udp for tftp. Please read the CERT advisory for complete details.


    This was first published in September 2001

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: