Nimda mostly infects /8-locally.

[Thomas Roessler <roessler () does-not-exist org>]

It seems that Nimda has some strong locality properties 
when spreading.  

Evaluating logs on a server which listens on an obscene number of 
virtual network interfaces with consecutive IP addresses, all in the 
same /24, I'm seeing the following distribution of "classical" 
netmasks (/n*8) with respect to the attacking hosts (unique IP 
addresses encountered in the logs):

        /16      1
        /8    1127
        /0     242

I don't see any /24s, but that's because there are no vulnerable 
hosts in that particular class C network.

This means, in particular, that the probability for Nimda to attack 
a host in the same /8 portion of the IP address space is 
approximately 5 times the probability to attack a host which is in 
some entirely "distant" region of the network.

It also seems like there is no special handling of /16 networks in 
the worm: Out of the 215 distinct /16 prefixes encountered (which 
do, however, still share the same /8 prefix with the attacked host's 
IP addresses), 36 make an appearance with only one unique IP address 
in my logs.  The /16 prefix of the attacked host just happens to be 
one of these.

--
Thomas Roessler                        http://log.does-not-exist.org/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com