Nimda Worm – How it Spreads and Prevention

    April 3, 2003

These are the days of attacks – virus attacks, terrorist attacks, social, political, religious attacks.

The latest worm to hit the Net is the Nimda worm, which is ADMIN spelled backwards. Most of the targets are (but of course!), IIS-servers and Outlook Express users.

The worm apparently generates an avalanche of Internet traffic because of its multipronged attack on both servers and PCs.

The Nimda worm, also known as readme.exe (also comes disguised as a .WAV file) is a deadly avataar of Magistr.B, Code Red, Code Blue and Apost bundled together. It has been termed as one of the most deadly worms ever to have stalked the alleys of the Internet.

As all the worms (and almost all other malignant species on earth, like terrorism), do what they like most – spread ASAP. Like other worms, Nimda too uses the address books of the email clients and starts sending its copies to unsuspecting recipients.

Nimda uses four ways to spread its tentacles. It scans the Internet looking for unprotected and vulnerable IIS servers, which makes it similar to Code Red and Code Blue. It also sends mass e-mail like SirCam and Apost do (in fact, it uses the same attachment, readme.exe, that Apost used). And Nimda looks for open network shares in a way similar to Magistr.B.

The most scary aspect is its use of malicious Web-page content. Here, have a mobile worm that discretely alters the Web page on an infected server so that whoever visits the web page being hosted at that server can become infected and further spread the worm.

Users randomly surfing the Internet may find a familiar Web site has been replaced with a screen informing them that they have chosen to download a file readme.exe. “What would you like to do with this file?”
For some users, the choice is easy (but not good): The file is automatically downloaded onto their hard drive.

A vulnerability in IE 5.01 and earlier allows code on the web pages to execute on its own without the users permission.

In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft’s Outlook e-mail software under the program’s “low” security setting.

When Nimda arrives in an e-mail, it appears as an attachment named readme.exe. This is the same name used by another current virus called W32/Apost-A, so anti virus companies say many people should already be wary of attachments bearing that name.

Patches for IE and OE are available for download at

It is also capable of spreading by other means, including Internet relay chat (IRC), an online chat format, and by FTP for remotely exchanging files.

As usual, the tried and tested policy is, not to open an attachment. This I follow with a strict rule, unless someone has actually mentioned that he or she is going to send an attachment with a particular name. It is strange that with so many viruses and worms, please still open unknown attachments.

For this particular worm, if you are infected (I mean your machine), then a file named “readme.exe” must be present in your root directory. Delete it with the ruthlessness of a terminator. In fact search the entire disk.

Buying an anti virus software is a good investment, and keep the database updated.

You can visit the following sites for the removal of the virus:

Outlook security patch can be downloaded at
For 98,10615,63020,00.html
For 2000,10615,63016,00.html
IIS Server Patch

Amrit Hallan is a freelance copywriter,
and a website content writer. He also dabbles
with PHP and HTML. For more tips and tricks in
PHP, JavaScripting, XML, CSS designing and
HTML, visit his blog at