The Nimda worm (formally w32.nimda.a@mm) spreads in several ways, making it one of the wildest, fastest spreading worms in recent memory

• It infects Microsoft Internet Information Servers (IIS) capitalizing on a dozen vulnerabilities in the IIS software. This is similar to the spread of Code Red, and creates a problem for system managers.
• It spreads from Windows end user systems whenever anybody opens its attachment (readme.exe) by infecting all addressees in the user's address book. This is similar to the technique used in the Anna Kournakova virus.
• The worm creates a web page that contains java code. When a user views the web page, his system is infected when the java code pushes the worm to his system.
• Nimda also installs the infected readme.exe file in random folders on the infected system and on the network to which the system is attached.

As of this writing, the Anti-virus software vendors have not yet issued new signature files that remove the Minda worm. Fixes are expected shortly, but Nimda has already proven to be difficult to remove. In many cases, the system must be removed from the network to which it is attached before eradication of the worm. In some cases, a system may require a complete reformatting of the disks and reload of all software. A number of companies have shut down email and other services for days while attempting to eradicate Nimda.

• Do not open attachments to email messages that you are not expecting - even if they are from trusted people. (Remember, this worm spreads by mailing itself to people known by the person who owns the infected system.) Be particularly wary of an attached readme.exe file. (see below)
• Upgrade Internet Explorer by installing the security patch.
• Upgrade Outlook by installing the Outlook 98 or Outlook 2000 security patch.
• Upgrade your anti-virus software often with the latest virus definition file (also known as signature file).
• Scan your system regularly with your anti-virus software. Enable auto-protect mode whenever possible.
• For system administrators using MS-IIS, install the patch.

About Readme.exe

Readme.exe is the name of the infected file in the Nimda worm. It's also a common name of a file used by software companies to tell you about new features or found bugs in their software products. So if you do a search on your disk, you're bound to find one or more readme.exe files. If you do find one of these files, it does not mean that your system has been infected. Here is a way to determine whether a readme file has been infected:

1. Figure out which folder or directory the file is in.
2. Using Windows Explorer or My Computer, determine whether the date matches the dates of the other files in that directory. Matching dates indicate that it probably came with the software in that directory and is not infected. A recent date suggests that the file could be infected. This technique is not a sure fire way to ascertain whether the file is infected - just a way to indicate the likelihood.

As always, we will continue to help alert you to virus threats - both in this anti-virus section and via email, through our Insider TipLetter. Subscribe here. (Free)