The "Code Red" worm attempts to connect to TCP port 80 [standard HTML Web port] on a randomly chosen host assuming that a web server will be found.  Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service 
====================
The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. 

Email Propagation
This worm propagates through email arriving as a [standard] MIME message ... first section is defined as MIME type "text/html", but contains no text ... email appears to have no content ... second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable. 

Due to a vulnerability ... Automatic Execution of Embedded MIME Types, any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) ... 
>>> [a.k.a.unpatched] <<<   automatically runs the enclosed attachment  and, as result, infects the machine ...  Thus, in vulnerable configurations, the worm payload will automatically be triggered by  simply opening (or previewing) this mail message. 

... then collects strings that look like email addresses [johndoe@xyz.com] ... addresses then receive a copy of the worm ... Nimda stores the time the last batch of emails was sent ... every 10 days will repeat the process of harvesting addresses and sending the worm ... 

... infected client machines begin scanning for vulnerable IIS servers ... Nimda looks for backdoors left by previous IIS worms such as Code Red II and sadmind/IIS worm ... also attempts to exploit various IIS vulnerabilities ... infected client machine attempts to transfer a copy of the Nimda code to any IIS server that it scans and finds to be vulnerable...