Nimda: Sept 2001

Spreads by:
random active probing (like before)
bulk emailing itself to victim's address book
copying itself across network shares
adding exploit code to webservers, to infect web clients.
scanning for backdoors left behind by code red ii and other worms