Do we know what IP Ports Nimda uses? Can we filter
SMTP traffic to keep out the unwanted traffic?
does its scanning using regular HTTP (TCP port 80) (For more information on ports, go to: Explanation of ports
if your machines are not public Web servers, you could/should filter
that traffic. For machines that are public Web servers, you obviously
cannot do that.
As for SMTP, the following information comes from the CERT advisory found
"This worm propagates through e-mail arriving as a MIME
"multipart/alternative" message consisting of two sections. The first
section is defined as MIME type "text/html," but it contains no text, so the
e-mail appears to have no content. The second section is defined as MIME type
"audio/x-wav," but it contains a base64-encoded attachment named
"readme.exe," which is a binary executable.
The e-mail message delivering the Nimda worm appears to also have the
The text in the subject line of the mail message appears to be variable.
There appear to be many slight variations in the attached binary file,
causing the MD5 checksum to be different when one compares different
attachments from different e-mail messages. However, the file length of the
attachment appears to consistently be 57344 bytes."
That may give you enough information to filter the e-mail.
Nimda also uses port 69/udp for tftp. Please read the CERT advisory for
This was first published in September 2001