The first I heard about nimda was one of the senior engineers in our company telling me to scan my PC and let him know if anything showed up. The only thing that did was a java script trojan dropper which was relatively harmless, but by the time I'd finished everyone was sitting around waiting for the company network to be given the all clear.

Nimda seemed to show a preference for hitting file servers. Even though my machine was clear at the start, I was just checking through a shared folder and *bam*, as soon as the mouse moved across a file called readme.txt.js (The final extension was hidden, but this didn't make any difference.) a tftp connection was opened to the host, and fortunately the antivirus had been updated by that time, and so stopped it. The preview bug that caused this was a zero day.

I was on a win98 box at the time, some people on unpatched NT machines fared worse (Yeah yeah, I know patch or die.. but the company I was at didn't take endpoint security seriously, it was a wake up call to the IT department, this was the first and last worm to really own our network.) they got hit by the worm like behaviour, from directory traversal attacks with no assistance from the user needed. Nimda shut us down for days, during the first few all clears our antivirus provider was still learning all the attack vectors, so it kept coming back.

I'd like to throw a few bricks at Symantec over this, but it was a shocking learning experience for more than just them. I doubt another event like this will happen on well managed networks.. It will just be the odd trojan leaking information and joining a botnet. Or maybe some idiot connecting his personal modem behind the firewall, but I can only hope not.