Re: New worm? 'readme.eml'

From: Naseer Bhatti (naseer@fibre.net.pk)
Date: 09/18/01


Message-ID: <00fe01c14089$640aa140$903487cb@z2m8v2>
From: "Naseer Bhatti" <naseer@fibre.net.pk>
To: "Ferris, Thomas M" <Thomas.Ferris@nmci-isf.com>, <forensics@securityfocus.com>
Subject: Re: New worm? 'readme.eml'
Date: Wed, 19 Sep 2001 02:32:11 +0500


> What would be a good solution for this, or is there an exact plan of
> attack to defend against this?

Yes, stop the outgoing smtp connections to the following mail servers

omega.serpro.gov.br (161.148.173.118)
server1.sans.org (167.216.133.33 )
smtp.china.com (61.135.144.88)
perninha.conectiva.com.br (200.250.58.156)
phuck.nether.net (204.42.254.5)
mx.ideal.ru (212.69.101.252)
tarkin.fdt.net (209.212.128.45)

The worm tries to send mail to these mail servers.

> Thanks in Advance.
>
> ================
> Thomas M. Ferris
> IA - Incident Response
> NMCI San Diego NOC
> ================
>
>
> -----Original Message-----
> From: JKruser [mailto:jkruser@adelphia.net]
> Sent: Tuesday, September 18, 2001 10:07
> To: Pedro Miller Rabinovitch; forensics@securityfocus.com
> Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
> Subject: RE: New worm? 'readme.eml'
>
>
> I also see a very serious possibility of this work interacting with the
> still prevalent sircam virus. Nimda, when it infects, opens share drives
> on
> the infected PC...Sircam will scan for open shares on an internal
> network or
> cable subnet and infect the remote PC without user interaction. This
> could
> effectively increase the spread of sircam exponentially and, due to the
> remailing capability of sircam, could shut down mail servers in a short
> period of time.
>
> I have not verified this possibility but it sounds feasible.
>
> Claymore
> the unprofound
>
>