Re: New worm? 'readme.eml'From: Naseer Bhatti (firstname.lastname@example.org)
- Previous message: Gabriel Wachman: "Re: WORM FORENSICS?"
- In reply to: Ferris, Thomas M: "RE: New worm? 'readme.eml'"
- Next in thread: McCammon, Keith: "RE: New worm? 'readme.eml'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <00fe01c14089$640aa140$903487cb@z2m8v2> From: "Naseer Bhatti" <email@example.com> To: "Ferris, Thomas M" <Thomas.Ferris@nmci-isf.com>, <firstname.lastname@example.org> Subject: Re: New worm? 'readme.eml' Date: Wed, 19 Sep 2001 02:32:11 +0500
> What would be a good solution for this, or is there an exact plan of
> attack to defend against this?
Yes, stop the outgoing smtp connections to the following mail servers
server1.sans.org (18.104.22.168 )
The worm tries to send mail to these mail servers.
> Thanks in Advance.
> Thomas M. Ferris
> IA - Incident Response
> NMCI San Diego NOC
> -----Original Message-----
> From: JKruser [mailto:email@example.com]
> Sent: Tuesday, September 18, 2001 10:07
> To: Pedro Miller Rabinovitch; firstname.lastname@example.org
> Cc: email@example.com; firstname.lastname@example.org
> Subject: RE: New worm? 'readme.eml'
> I also see a very serious possibility of this work interacting with the
> still prevalent sircam virus. Nimda, when it infects, opens share drives
> the infected PC...Sircam will scan for open shares on an internal
> network or
> cable subnet and infect the remote PC without user interaction. This
> effectively increase the spread of sircam exponentially and, due to the
> remailing capability of sircam, could shut down mail servers in a short
> period of time.
> I have not verified this possibility but it sounds feasible.
> the unprofound