Rule: Sid: 1284 -- Summary: This event is generated when an attempt is made to download a Nimda-infected attachment from a web server. -- Impact: Serious. A Nimda-infected web server may have spread the Nimda worm to the web client. -- Detailed Information: One of the methods the Nimda worm uses to propagate is by passing malicious code from an infected web server to a web client. The Nimda-infected code often uses the filename extension ".EML". The fully automated Nimda worm that has already infected an IIS web server searches through and infects the local web pages with malicious javascript. When a vulnerable web client attempts to load a web page from this server, the javascript will cause the web client to download and execute the Nimda-infected readme.eml file, causing the web client to become Nimda-infected. -- Affected Systems: Microsoft Windows based systems. -- Attack Scenarios: The user must use a link on an infected server. -- Ease of Attack: Simple. This is worm activity. -- False Positives: None Known -- False Negatives: The Nimda worm may spread via any file with the .EML or .NWS extension, not just readme.eml. This rule will not catch other .EML or .NWS files. -- Corrective Action: Examine the host for signs of infection. Use Anti-Virus tools to clean an infected host. Consider the use of alternative operating systems that are not vulnerable to this kind of attack. -- Contributors: Original rule writer unknown Original document author unkown Sourcefire Vulnerability Research Team Nigel Houghton <nigel.houghton@sourcefire.com> -- References: --