Here's some (edited) info from http://www.cert.org/ CERT/CC is a center of Internet security expertise (key parts are highlighted) The
"Code Red" worm attempts to connect to TCP port 80 [standard
HTML Web port] on a randomly chosen host
assuming that a web server will be found. Upon
a successful connection to port 80, the attacking host sends a crafted
HTTP GET request to the victim, attempting to exploit a buffer overflow
in the Indexing Service
Email
Propagation
Due
to a vulnerability ... Automatic Execution of Embedded MIME Types, any
mail software running on an x86 platform that uses Microsoft
Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) ...
... then collects strings that look like email addresses [johndoe@xyz.com] ... addresses then receive a copy of the worm ... Nimda stores the time the last batch of emails was sent ... every 10 days will repeat the process of harvesting addresses and sending the worm ... ... infected client machines begin scanning for vulnerable IIS servers ... Nimda looks for backdoors left by previous IIS worms such as Code Red II and sadmind/IIS worm ... also attempts to exploit various IIS vulnerabilities ... infected client machine attempts to transfer a copy of the Nimda code to any IIS server that it scans and finds to be vulnerable... <<< click the BACK button on your browser to go back to the same spot |