New Information about IE 6 and the Nimda Worm

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Summary: If you are using IE 6 and all of the following conditions are true, you could be at risk from the Nimda worm, and should reinstall IE 6 using the default installation option:

  • You are running Windows 95, 98, 98SE or ME and

  • You upgraded from IE 5, IE 5.01, IE 5.01 Service Pack 1, IE 5.5, or IE 5.5 Service Pack 1 to IE 6 and

  • You did not apply the patch for MS01-020 or MS01-027 before upgrading to IE 6 and

  • When installing IE 6, you either selected "Custom Install" and deselected the option to install Outlook Express, or chose "Minimal Install".


Microsoft has recently learned of an unusual scenario under which it could be possible for a user running IE 6 to be vulnerable to the Nimda worm. The scenario would not occur under default conditions, but we do want to ensure that any customers who it applies to take proper action to protect their systems. In our previous informational page about the Nimda worm, we noted that the worm attempts to exploit a previously reported security vulnerability. We noted that there are five ways to eliminate the vulnerability, and thereby protect your system against infection via either email or web browsing:

The first four options are fully effective in all cases, and customers who have taken any of these steps would be protected against the Nimda worm. However, in the fifth case, upgrading directly to IE 6, it could be possible to do this in a way that would not eliminate the vulnerability. This is true only for certain platforms, and only for certain non-default installation methods on those platforms.

There is no risk here to customers who are using Windows NT 4.0, Windows 2000, or Windows XP. This is because the vulnerable code is always updated on these platforms. Customers on Windows 98, 98SE or ME who upgraded directly to IE 6 may be vulnerable only if they upgraded by either:

  • By choosing Minimal Install.

  • By choosing Custom Install and then deselecting the option to upgrade Outlook Express

This is because the files that contain the vulnerability are associated with Outlook Express, which ships as part of Internet Explorer. In these two installation modes, Outlook Express is not upgraded, and so the vulnerability remains. The two methods above are the only way that Outlook Express would not be upgraded.

It's important to remember that the default installation mode for IE 6 is Typical Install, which does upgrade Outlook Express and therefore does protect against the vulnerability. Also, the other available option, Full Install, upgrades Outlook Express and does protect against the vulnerability.

The files containing the vulnerability cannot be added to the system via IE 6? They must already be there before the installation. As a result, if you weren't affected by the vulnerability prior to installing IE 6, you cannot be vulnerable afterwards. This means if you applied MS01-020, MS01-027, IE 5.01 SP2 or IE 5.5 SP2 before installing IE 6, the vulnerability was already eliminated and you were therefore fully protected before you installed IE 6. Likewise, if you upgraded directly from IE 4.x or earlier, you are fully protected because these versions didn’t contain the vulnerability. Likewise, if you upgraded directly from IE 4.x or earlier, you are fully protected because these versions didn't contain the vulnerability.

If you think you might be affected by this problem, start Outlook Express, then select About Outlook Express from the Help menu. The version number will be displayed in the dialogue box. If the version number begins with the number 5, you need to upgrade Outlook Express. The easiest way to do this is to reinstall IE 6, using either the Typical Install or Full Install option.

Microsoft would like to thank Dr. Hiromitsu Takagi for alerting us to this scenario.