Last month, a worm called "Nimda" was spreading rapidly. Its’ initial speed of spread was even faster than CodeRed's. This worm consists of a mass mailer and a web worm. It can propagate via infecting files, mass mailing, vulnerable IIS servers and file sharing. Also, a non-IIS web server (such as Apache), could act as a passive carrier of Nimda if infected HTML files were uploaded to it - this will help the worm to spread further. Therefore, non-IIS web servers cannot be considered as 100% safe. Browsing the infected web servers with vulnerable IE might get infected transparently. On the other hand, we have not seen any email propagation cases so email gateway AV solutions will not reduce the spread very much. That is why MessagesLabs, an Internet level email AV service provider, only rates it as low risk but other AV developers rate it as Medium to High risk.
Once the system gets infected, removal is not easy. Fortunately, most of the AV developers have released auto-removal tools. However, the key disinfection step is disabling all network shares or temporarily disconnecting hosts from the network until all machines are cleaned. Therefore the tools cannot prevent business loss in corporate environment. Again, keeping software up-to-date and patched is the easiest way to minimize the recovery cost. Also, installing content security products like eSafe Gateway can also prevent users from downloading dangerous file types from the Internet.
A new variant "Nimda.B" was discovered on 9th October. The only difference is that it uses PUTA!!.SCR and PUTA!!.EML as the file names. According to the AV developers, it is not widely spread.