Q

Ports used by Nimda

Do we know what IP Ports Nimda uses? Can we filter SMTP traffic to keep out the unwanted traffic?
Nimda does its scanning using regular HTTP (TCP port 80) (For more information on ports, go to: Explanation of ports). Thus, if your machines are not public Web servers, you could/should filter that traffic. For machines that are public Web servers, you obviously cannot do that.

As for SMTP, the following information comes from the CERT advisory found at http://www.cert.org/advisories/CA-2001-26.html:

"This worm propagates through e-mail arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html," but it contains no text, so the e-mail appears to have no content. The second section is defined as MIME type "audio/x-wav," but it contains a base64-encoded attachment named "readme.exe," which is a binary executable.

The e-mail message delivering the Nimda worm appears to also have the following characteristics:

  • The text in the subject line of the mail message appears to be variable.
  • There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one compares different attachments from different e-mail messages. However, the file length of the attachment appears to consistently be 57344 bytes."

    That may give you enough information to filter the e-mail.

    Nimda also uses port 69/udp for tftp. Please read the CERT advisory for complete details.


  • This was first published in September 2001

    Dig deeper on Security Resources

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close