Email

  1. Home
  2. Computing & Technology
  3. Email

How Does the Nimda Worm Work?

Find out how the Nimda worm can be executed by just opening an email, and how you can secure your computer from that threat.
 Join the Discussion
• Recent Discussions
 
 Related Resources
• The Hoax is a Worm, and a Virus
• How Worms Spread via Email
• Protect Your System Against Worms
 
 From Other Guides
• Nimda Worm Launches Attack
• Nimda Worm for Dummies
 
 Elsewhere on the Web
• CERTAdvisory: Nimda Worm
• MS Security Bulletin: Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
 
  Free Newsletter
Your email address:

Worms seem to get nastier and nastier. The Nimda worm is especially persistent. It travels in as much as five different ways, and if a network is secured from it at one end it waddles in at the other end, smiling.

One of the paths that Nimda takes is email. Once a computer is infected, Nimda uses a built-in SMTP engine to send copies of itself. Email addresses are gathered from archived email messages available via MAPI and from Web pages in the user's browser cache.

Nimda Fools Internet Explorer

Recipients receive a MIME message containing two parts. The first part is an empty body, so when the message is opened nothing appears.

The second part is the tricky one and exploits a known vulnerability in Internet Explorer. It pretends to have a "audio/x-wav" content-type, but it is an executable file. This causes Internet Explorer 5.01 and 5.5 to run the code without asking the user and without the user's knowledge.

This flaw in Internet Explorer means extreme risk for all email clients that use it to display email messages, most prominently Microsoft Outlook and Outlook Express, but also Eudora.

If you use one of these email clients, the Nimda worm can be executed by just opening or previewing an email message. Users of all other email clients are not secure, but they have to open the attachment (usually called "readme.exe") manually.

Protect Your Computer

It is important not to open unknown attachments. But as we have seen this may not be enough to protect your computer from Nimda. You also need to fix the flaw in Internet Explorer.

First identify whether your version of Internet Explorer is at risk. If you run any of

you do not need any security updates. To find out which version of Internet Explorer you have installed, select Help from Internet Explorer's menu and then About Internet Explorer.

If you run

  • Internet Explorer 5.01
  • Internet Explorer 5.01 SP1
  • Internet Explorer 5.5 or
  • Internet Explorer 5.5 SP1

you should update to one of the patched versions above.

To prevent future exploitation of Internet Explorer, you might also consider using an email client that does not rely on it to display messages. Examples of such email programs include Pegasus Mail, PocoMail and The Bat!.

 

"I've known thee many a year, Kit Twink,
And ever hast thou fooled me!"

Thomas Hardy
The Slow Nature

Explore Email

About.com Special Features

Build Your Own Website

Step-by-step advice on how to do everything from choosing a Web host to promoting your content. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >

Browse All About.com

Email

  1. Home
  2. Computing & Technology
  3. Email

©2009 About.com, a part of The New York Times Company.

All rights reserved.