Well it wasn't pretty, but I think I got rid of the nimda on my network.
The lovely little thing about this virus/worm is that it doesn't matter if you have apache webserver or not. All it takes is one small visit to a website infected and bang, your it now.
It created over 2000 files each about 75K each of course, that used up HUGE about of diskspace.
Worm changes almost all html/asp/htm files and appends the following:
Hello World!
And like it or not, your screwed. Unless you have applied a MS patch which can be found at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.aspHope this helps others.
Found on a german website, fix for those running squid.(This was translated from German to English)
==================
Squid Proxy filters Nimda worm
The Nimda worm installed on stricken Web servers a file named " READ
ME eml " and builds JavaScript code into the web pages, which reload
this file. If a surfer visits the stricken Web server, its Browser
loads this file and leads it with some versions of the InterNet
Explorer even ungefragt out. In firm networks a pro XY server can
ensure that the dangerous file does not arrive at the computer of the
surfer. The following entries in the configuration file " squid.conf
" the Web Proxies Squid cause that these files with the ending " eml "
blocks:
# eml Files filter
acl worm urlpath_regex i \.eml$
http_access deny worm