Problem solve Get help with specific problems with your technologies, process and projects.

Ports used by Nimda

Do we know what IP Ports Nimda uses? Can we filter SMTP traffic to keep out the unwanted traffic?
Nimda does its scanning using regular HTTP (TCP port 80) (For more information on ports, go to: Explanation of ports). Thus, if your machines are not public Web servers, you could/should filter that traffic. For machines that are public Web servers, you obviously cannot do that.

As for SMTP, the following information comes from the CERT advisory found at http://www.cert.org/advisories/CA-2001-26.html:

"This worm propagates through e-mail arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html," but it contains no text, so the e-mail appears to have no content. The second section is defined as MIME type "audio/x-wav," but it contains a base64-encoded attachment named "readme.exe," which is a binary executable.

The e-mail message delivering the Nimda worm appears to also have the following characteristics:

  • The text in the subject line of the mail message appears to be variable.
  • There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one compares different attachments from different e-mail messages. However, the file length of the attachment appears to consistently be 57344 bytes."

    That may give you enough information to filter the e-mail.

    Nimda also uses port 69/udp for tftp. Please read the CERT advisory for complete details.

  • This was last published in September 2001

    Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.