A worm with many tricks and turns

Nimda is 'admin' spelt backwards, which is apt as one of its tricks is to grant itself administrative privileges to gain the run of local networks.

It spread initially by scanning the web and local networks for servers with two vulnerabilities: a back door used by the Code Red virus, and a 'web server folder traversal', which allows an intruder to gain access to folders on a web server using a particular form of malformed URL.

Once Nimda has found a compliant server, it installs itself as a file called Admin.dll, which is executed to create a guest account granting full access privileges.

It also tries to infect other local servers and makes the boot drive public. Finally it appends a script to key HTML and ASP files, which can infect PCs accessing the site.

Unpatched versions of Explorer 5.5 or earlier are vulnerable to this attack. Users of other browsers can still be infected if they have JavaScript enabled, but the code will ask permission before activation.

Yet another transmission route is provided by email. Nimda runs its own email routine, sending itself to addresses in the Outlook address book.

In older versions of Outlook and Outlook Express, these emails can self-activate from the viewing pane without being opened.