RE: New worm? 'readme.eml'

• Previous message: Tom Taylor (ISD): "RE: Current Wave of IIS Attacks"
• Maybe in reply to: JKruser: "RE: New worm? 'readme.eml'"
• Next in thread: Naseer Bhatti: "Re: New worm? 'readme.eml'"
• Next in thread: McCammon, Keith: "RE: New worm? 'readme.eml'"
• Reply: Naseer Bhatti: "Re: New worm? 'readme.eml'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Subject: RE: New worm? 'readme.eml'
Date: Tue, 18 Sep 2001 10:52:13 -0700
Message-ID: <F24AA1B54DE41141AD7CAFD736FF642F0B2E74@NAWESDNIEX06VA.nadsuswe.nads.navy.mil>
From: "Ferris, Thomas M" <Thomas.Ferris@nmci-isf.com>
To: "JKruser" <jkruser@adelphia.net>, "Pedro Miller Rabinovitch" <pedro@cipher.com.br>, <forensics@securityfocus.com>

What would be a good solution for this, or is there an exact plan of
attack to defend against this?

Thanks in Advance.

================
Thomas M. Ferris
IA - Incident Response
NMCI San Diego NOC
================

-----Original Message-----
From: JKruser [mailto:jkruser@adelphia.net]
Sent: Tuesday, September 18, 2001 10:07
To: Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

I also see a very serious possibility of this work interacting with the
still prevalent sircam virus. Nimda, when it infects, opens share drives
on
the infected PC...Sircam will scan for open shares on an internal
network or
cable subnet and infect the remote PC without user interaction. This
could
effectively increase the spread of sircam exponentially and, due to the
remailing capability of sircam, could shut down mail servers in a short
period of time.

I have not verified this possibility but it sounds feasible.

Claymore
the unprofound

• Previous message: Tom Taylor (ISD): "RE: Current Wave of IIS Attacks"
• Maybe in reply to: JKruser: "RE: New worm? 'readme.eml'"
• Next in thread: Naseer Bhatti: "Re: New worm? 'readme.eml'"
• Next in thread: McCammon, Keith: "RE: New worm? 'readme.eml'"
• Reply: Naseer Bhatti: "Re: New worm? 'readme.eml'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: New worm? readme.eml ... Subject: New worm? ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-IDS) Re: New worm? readme.eml ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-IDS) Re: New worm? readme.eml ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-Microsoft) RE: New worm? readme.eml ... Subject: New worm? ... known and surely nasties away from your web server. ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-IDS) Re: [Full-Disclosure] MyDoom download info ... variant of the Nachi worm which attempts to cleanse computers infected by ... MyDoom and download Microsoft security patches to unprotected computers ... Once it infects target machines the worm attempts to search and ... The scanning traffic generated by the original Nachi worm in August ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint