GEN:SID 1:1284
Message WEB-CLIENT readme.eml download attempt
Summary This event is generated when an attempt is made to download a
Nimda-infected attachment from a web server.
Impact Serious. A Nimda-infected web server may have spread the Nimda worm to the web
client.
Detailed Information One of the methods the Nimda worm uses to propagate is by passing malicious
code from an infected web server to a web client.  The Nimda-infected
code often uses the filename extension ".EML".

The fully automated Nimda worm that has already infected an IIS web server
searches through and infects the local web pages with malicious javascript.
When a vulnerable web client attempts to load a web page from this server,
the javascript will cause the web client to download and execute the
Nimda-infected readme.eml file, causing the web client to become
Nimda-infected.
Affected Systems Microsoft Windows based systems.
Attack Scenarios The user must use a link on an infected server.
Ease of Attack Simple. This is worm activity.
Corrective Action Examine the host for signs of infection.

Use Anti-Virus tools to clean an infected host.

Consider the use of alternative operating systems that are not
vulnerable to this kind of attack.
Additional References  
Rule References url: www.cert.org/advisories/CA-2001-26.html