Signature Detail

WORM: Nimda Infection Attempt (2)

This signature detects attempts to infect a Microsoft IIS Web server with the Nimda worm. Nimda can infect other Web servers by obtaining e-mail addresses and sending a copy of itself in infected messages using its own SMTP or POP3 server; adding files to a system configured to allow Windows file shares; or posting an infected HTML e-mail to the Web server where it can be accessed through HTTP.

Extended Description

Nimda installs a backdoor, allowing the infected system to be controlled by a remote attacker.

References

• URL: http://www.securityspace.com/smysecure/w32_nmda_amm.html