Nimda does its scanning using regular HTTP (TCP port 80) (For more information on ports, go to: Explanation of ports). Thus, if your machines are not public Web servers, you could/should filter that traffic. For machines that are public Web servers, you obviously cannot do that. As for SMTP, the following information comes from the CERT advisory found at http://www.cert.org/advisories/CA-2001-26.html: "This worm propagates through e-mail arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html," but it contains no text, so the e-mail appears to have no content. The second section is defined as MIME type "audio/x-wav," but it contains a base64-encoded attachment named "readme.exe," which is a binary executable. The e-mail message delivering the Nimda worm appears to also have the following characteristics:
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.