Worms seem to get nastier and nastier. The Nimda worm is especially persistent. It travels in as much as five different ways, and if a network is secured from it at one end it waddles in at the other end, smiling.
One of the paths that Nimda takes is email. Once a computer is infected, Nimda uses a built-in SMTP engine to send copies of itself. Email addresses are gathered from archived email messages available via MAPI (Messaging Application Programming Interface) and from web pages in the user's browser cache.
Nimda Fools Internet Explorer
Recipients receive a MIME message containing two parts. The first part is an empty body, so when the message is opened nothing appears.
The second part is the tricky one and exploits a known vulnerability in Internet Explorer. It pretends to have a "audio/x-wav" content-type, but it is an executable file. This causes Internet Explorer 5.01 and 5.5 to run the code without asking the user and without the user's knowledge.
This flaw in Internet Explorer means extreme risk for all email clients that use it to display email messages, most prominently Microsoft Outlook and Outlook Express, but also Eudora.
If you use one of these email clients, the Nimda worm can be executed by just opening or previewing an email message. Users of all other email clients are not secure, but they have to open the attachment (usually called "readme.exe") manually.
Protect Your Computer
It is important not to open unknown attachments. But as we have seen this may not be enough to protect your computer from Nimda. You also need to fix the flaw in Internet Explorer.
First identify whether your version of Internet Explorer is at risk. If you run any of
- Internet Explorer 5.01 SP2
- Internet Explorer 5.5 SP2
- Internet Explorer 6
you do not need any security updates. To find out which version of Internet Explorer you have installed, select Help from Internet Explorer's menu and then About Internet Explorer.
If you run
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
- Internet Explorer 5.5 or
- Internet Explorer 5.5 SP1
you should update to one of the patched versions above.
To prevent future exploitation of Internet Explorer, you might also consider using an email client that does not rely on it to display messages. Examples of such email programs include Pegasus Mail, PocoMail and The Bat!.