Just before 5:00 am PDT (12:00 GMT) on September 18, 2001 the Nimda Worm began to infect hosts around the world. The infection peaked around 12:00 PDT (19:00 GMT) on September 18th and has decreased steadily ever since. At the peak of the infection, 160,000 hosts were infected with the worm. The response (either blocking or disinfecting machines) to Nimda was both quicker and more effective than the response to CodeRed. Less than 24 hours after Nimda began to infect large numbers of hosts, 50% of the previously infected machines were no longer actively spreading the worm. In contrast, it took 11 days for 50% of the hosts infected by Code-Red version 2 and CodeRedII to cease their probes for new victims.

By 17:00 PDT (00:00 GMT) on September 19th, we had observed 450,000 unique IP addresses attempting to spread the Nimda worm. The discrepancy between the number of hosts infected at any given time and this number of unique IP addresses initially is caused by the removal of many pools of infected hosts from the Internet. Some organizations chose to remove themselves voluntarily to protect their machines. Some ISPs disconnected customers who were found to be spreading the worm, while others blocked traffic to or from port 80. Finally, some locations were compromised so severely that the infected hosts saturated their links to the rest of the Internet, thereby reducing the ability of the infected hosts to spread the worm. This saturation also may have overwhelmed BGP keepalive messages, causing withdrawal of routes. Information about disinfection and prevention of Nimda was released around 16:30 PDT (23:30 GMT).

The following two graphs show the number of hosts actively transmitting Nimda in each 15 minute interval. The top graph uses a linear scale for the y-axis, while the bottom graph has a log scale y-axis.