IIS on Windows
URL decoding error
Remote access
Captured with snort
A URI (RFC 2396) has a limited set of allowed characters. Since this set is smaller than the set of allowable characters in filenames, the standard allows for encoding of special characters with &37; followed by the hex value of the character.
The flaw was that IIS decoded some of the input twice. IIS checks the path for security after the first decoding, but it is the second deconding that controls the file actually accessed.
NSFocus has a good description of the flaw. CERT claims they found the flaw.
Nimda had several other transmission methods not involving web servers.
Nimda had at least 18 variants it used.
GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close