Nimda Notifyer is a simple perl script which can be dropped into
any cgi-enabled area on your web server. It will send an email
to the netblock owner of whichever IP accesses it.
-- all can be obtained from CPAN by entering
perl -MCPAN -e shell;
CPAN> install LWP::UserAgent
CPAN> install Net::Whois::Raw
CPAN> install File::Cache
the command prompt (as root, if possible). If the listed modules
are already installed, CPAN will ensure they're the latest available
Download the source, and adjust configuration variables to suit
the file in
/MSADC/ on one of your websites on your
network, it doesn't matter which one since this worm scans every
IP, and you need only bother the admin once.
the script to
.htaccess file with the contents
this will be a wakeup call the the admins of these NT machines,
and they will fix the problem.
you would like to preview the email that would be sent out, just
/MSADC/root.exe in your web browser. When a browser
is detected, the script automatically goes in to debug mode and
will not send any emails out or submit IPs anywhere. Or,
if you want to play extra safe, just set
can send enhancements or suggestions to Trevor Peirce at firstname.lastname@example.org.
From: Trevor Peirce <email@example.com>
Subject: Nimda Detected - 18.104.22.168
This is an automated email from www.digitalcon.ca. It appears
as though you are listed as the coordinator for the netblock from
which a Windows NT machine appears to have been infected with the
The IP address of the infected machine is 22.214.171.124. This
was detected on Fri Sep 21 23:37:00 2001 GMT. Please either remove
the worm or disconnect the machine from the Internet until you have
the chance to do so. It is using up not only your bandwidth but
everybody else's too.
Here are a few links with information about this worm:
Thank you for your attention,
Administrator of www.digitalcon.ca
digitalconceptions design © 2001