Do we know what IP Ports Nimda uses? Can we filter SMTP traffic to keep out the unwanted traffic?
Nimda does its scanning using regular HTTP (TCP port 80) (For more information on ports, go to:
Explanation of ports). Thus, if your machines are not public Web servers, you could/should filter that traffic. For machines that are public Web servers, you obviously cannot do that.
As for SMTP, the following information comes from the CERT advisory found at
"This worm propagates through e-mail arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html," but it contains no text, so the e-mail appears to have no content. The second section is defined as MIME type "audio/x-wav," but it contains a base64-encoded attachment named "readme.exe," which is a binary executable.
The e-mail message delivering the Nimda worm appears to also have the following characteristics:
The text in the subject line of the mail message appears to be variable.
There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one compares different attachments from different e-mail messages. However, the file length of the attachment appears to consistently be 57344 bytes." That may give you enough information to filter the e-mail. Nimda also uses port 69/udp for tftp. Please read the CERT advisory for complete details.
Dig deeper on Security Resources
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.