Key Points:
- This particular virus swept through the online world in late 2001 and caused hundreds of millions of dollars with of damage.
- The strength of the Nimda Virus was that is utilized methods from multiple types of malicious code.
- Security teams were able to stop Nimda via Host-Based Intrusion Detection/Prevention Systems (HIDS/HIPS) and Network-Based Intrusion Detection/Prevention Systems (NIDS/NIPS).
What is the Nimda Virus?: Complete Explanation
The Nimda virus is malware that first surfaced in September 2001, causing computer and network slowdowns as it tore through the digital world. It targets computers running early versions of Windows, including 95, 98, NT, XP, and 2000. Nimda caused hundreds of millions of dollars in damage costs before cybersecurity safety experts built a patch to get rid of the weaknesses it exploited.
Nimda’s primary goal is to spread itself through any means possible. It doesn’t delete files or cause other harmful effects besides the chaos resulting from its slowdown of CPUs and network traffic.
It’s particularly effective because it combines techniques from the top three kinds of malware that hackers use to cripple computers: worms, viruses, and Trojan horses.
- A computer worm is a small program that can spread itself across a network without action from a human user. Nimda’s worm-like capabilities enable it to run malicious code from an email attachment’s preview pane without the user opening the attachment.
- A computer virus inserts duplicates of itself into other files and apps. Nimda has a file-infecting ability that puts copies of its code into DLLs and executable files.
- A digital Trojan horse is an app that appears to perform a useful task while quietly executing malicious code. Nimda was the first malware to infect servers and turn their hosted websites into Trojan horses that made visitors’ browsers download a script containing the virus.
A few years after its discovery, computer safety researchers from F-Secure found a hidden text string in the Nimda code that read “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China.” Despite this suspiciously blatant implication, the true origin of the multi-vector worm is still uncertain.
The text also implies that the hacker who created Nimda intended it to be called “Concept Virus.” When researchers realized that name was already taken by another virus, they dubbed it “Nimda,” which is the reverse spelling of “admin,” a filename commonly used by the virus.

The Storm Worm is a polymorphic virus that used provocative titles to lure people into clicking on links. 8% of computers were infected by this.
©sarayut_sy/Shutterstock.com
How Does the Nimda Virus Spread?
Nimda uses four main techniques to propagate itself:
- Sharing infected files over open networks
- Sending infected email attachments
- Exploiting early versions of IIS, Microsoft Windows’ web server, to upload infected scripts to exposed web pages
- Downloading infected scripts to the computers of users who browse infected web pages
The method this multi-vector worm uses to infect files is slightly different than most other viruses. Where the average virus takes over a file by placing a copy of its code inside the file, Nimda removes the original file, makes a copy of itself under the original filename, and then embeds the contents of the original file inside this new copy as a Windows resource. When the file is used, the computer worm loads its malicious code first and then extracts and runs the original program.
This means Nimda’s file-infecting code often reinfects contaminated files multiple times. There are cases where an infected Nimda file contains an embedded copy of another infected Nimda file, which contains another embedded Nimda file, which finally contains the original program. Antivirus researchers have logged cases of up to 250 reinfections in a single file.
Once Nimda infects a computer, it starts looking for ways to thoroughly propagate through that computer and any others on open local networks. It creates hidden files containing its code with the extension EML or NWS in as many folders as it can, usually naming these files “README,” “ADMIN,” “DESKTOP” or “SAMPLE.”
When it finds folders containing documents, it creates an infected file named “RICHED20.DLL” in the folder. This is because Windows tends to look for a local DLL with that name when it loads complex documents. When a user opens any document in the same folder as the infected DLL, Nimda has more opportunities to spread.
Next, Nimda looks for email addresses in the computer’s address book, inbox, and any HTML documents in its Temporary Internet Files folder. It collects as many as it can find and sends them all blank emails with empty or random subject lines containing infected attachments usually named “README.EXE.” When a recipient opens or even previews the attachment, its malicious code can start spreading the virus through the new machine.
Nimda also begins probing a range of IP addresses selected at random, looking for servers running exposed versions of Microsoft’s IIS. When it finds a way in, it starts placing embedded scripts with malicious code on as many web pages on the server as it can.
If a user with an exposed browser visits one of these infected pages, the page’s Nimda script will automatically download a README.EML file containing the computer worm’s malicious code. The file will then surreptitiously open in a minimized window, automatically executing its Nimda script, and the propagation process will begin again.

Viruses have several different types of ways to infect devices and spread by multiplying files.
©fizkes/Shutterstock.com
What Are the Effects and Damage Costs of the Nimda Virus?
The Nimda malware has subtly different effects depending on where the infection begins and how it arrives. Its destructive payload is limited to propagation tasks, which include file-infecting techniques and web content modification.
If an infected file slips through your network’s defenses, you can end up with hundreds of machines containing thousands of infected or damaged files, making the multi-vector worm almost impossible to remove. If it propagates enough across a web server, it can indirectly cause a denial of service events simply due to the volume of traffic its processes trigger.
In its initial boom, the Nimda virus propagated on nearly 160,000 systems. Multiple large companies had to disconnect their networks from the internet to avoid infection. Nimda found its way into the servers of some of the largest companies of the time, including Dell and Microsoft websites.
A few weeks after the first wave, another variant called “Nimda.e” infiltrated the computer systems of the federal court in Miami, Florida. Over Halloween week, court employees had to shut down their networks and go back to using paper files. The electronic files were eventually recovered after the local government hired an expert cybersecurity team to go through their systems and clean them out one by one. The same variant also got into the New York Times’ computer systems, forcing them to suspend operations for a couple of days.
Before antivirus companies came up with a patch, Nimda’s total damage cost was estimated to be around $600 million. For unpatched systems, the best way to get rid of the computer worm involved reformatting all contaminated hard drives and reinstalling all system software from scratch using safely patched versions.
How To Protect Your Computer From the Nimda Virus
The most important thing you can do to prevent infection by Nimda is to make sure your system software and Internet browser have all the latest security patches installed. For your safety, never open executable email attachments, especially from senders you don’t recognize, and treat even non-executable email attachments with suspicion.
If you think your computer or network has been infected, do the following:
- Disconnect your computer from the Internet and your local network
- Restore your system software from your most recent backup point or reformat your hard drives and reinstall everything using patched software versions
- Scan your restored system with the latest antivirus software
- If the scan comes up clean, you can reconnect to the Internet and your local network
Once you’ve thoroughly cleaned out your system, make sure to install antivirus protection from your favorite reputable provider.

TLS is the standard protocol today for computer network security.
©Thapana_Studio/Shutterstock.com
The Best Antivirus Software for a Nimda Virus
The first company that came up with a tool to remove Nimda was a cybersecurity software provider called Symantec, which is now known as NortonLifeLock. Their original Nimda patch was called “FixNimda.com.” Their current antivirus products include the Norton Security Suite, which is dedicated to preventing and removing malware.
- Download and install instantly
- Real-time protection from malware
- Safely and securely store your passwords with password manager
- Firewall blocks unauthorized traffic
- 2GB of PC Cloud backup
- ONGOING PROTECTION Download instantly & install protection for up to 3 PCs, Macs, iOS or Android devices in minutes!
- REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
- SECURE VPN Browse anonymously and securely with a no-log VPN while using public Wi-Fi Add bank-grade encryption to help keep your information like passwords and bank details secure and private
- DARK WEB MONITORING will monitor and notify you if we find your personal information on the Dark Web**
- 25GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to data loss due to hard drive failures, stolen devices and even ransomware***
- ONGOING PROTECTION Download instantly & install protection for up to 10 PCs, Macs, iOS or Android devices in minutes!
- REAL-TIME THREAT PROTECTION Advanced security protects against existing and emerging malware threats, including ransomware and viruses, and it won’t slow down your device performance
- SECURE VPN Browse anonymously and securely with a no-log VPN while using public Wi-Fi Add bank-grade encryption to help keep your information like passwords and bank details secure and private
- DARK WEB MONITORING will monitor and notify you if we find your personal information on the Dark Web**
- 75GB SECURE PC CLOUD BACKUP store and help protect important files as a preventative measure to data loss due to hard drive failures, stolen devices and even ransomware***
Since Nimda contains features resembling worms, viruses, and Trojan horses, a simple antivirus program may not be enough to keep it at bay. The security technologies specifically created to stop intrusions like Nimda include Host-Based Intrusion Detection/Prevention Systems (HIDS/HIPS) and Network-Based Intrusion Detection/Prevention Systems (NIDS/NIPS).
HIDS and HIPS keep an eye on local log files using signatures of known attack symptoms to identify suspicious activity and validate incoming network traffic. NIDS and NIPS oversee network traffic flow looking for symptoms of an active malware attack.
Most cybersecurity software today comes packaged as a comprehensive endpoint protection security suite rather than just a simple antivirus script. Antivirus software bundles usually include HIDS, HIPS, NIDS, and NIPS as well as other kinds of protection from viruses, worms, Trojan horses, malware, ransomware, etc.
If you run a server, you can also get a more specialized Intrusion Detection/Prevention System (IDS/IPS) like SolarWinds, OSSEC, or Fail2Ban. These will actively monitor your network log files and traffic for suspicious activity caused by Nimda and other intruders and alert you when something odd is going on or update your firewall rules to get rid of the threat.
Are you interested in learning about other computer viruses? Check out our complete guide!
This video from The Cyber Lab gives a high-level explanation of viruses and goes over the 11 most dangerous computer viruses, to include the Nimda Virus.
Up Next…
Let’s keep reading about other well-known viruses and how to combat them.
- The Top 5 Antivirus Programs: Which One is the Best? Here’s a great list to keep your computers protected.
- The ILOVEYOU Virus: How it Works and How to Protect Yourself. Is this virus harmless as it sounds? Let’s see!
- Can Your iPhone Actually Get Viruses? Myth vs Reality. While iOS devices are very secure, you may want to read this to find out how they can be vulnerable.
The image featured at the top of this post is ©Erik Svoboda/Shutterstock.com.