RE: New worm? 'readme.eml'

From: Dave Elfering (elfering@wernerlogistics.com)
Date: 09/19/01 

Message-ID: <CCAC4B1F2669D41185880050DAC83F41B25E5C@WLS-EXMB2>
From: Dave Elfering <elfering@wernerlogistics.com>
To: focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'
Date: Tue, 18 Sep 2001 20:55:44 -0500

When I infected my little VMWare test box, it seemed to be trying to also go
to 227.1.116.127 and 239.119.219.117

This is very odd since those are multicast addresses. Anyone else seeing
this?

-David

-----Original Message-----
From: Naseer Bhatti [mailto:naseer@fibre.net.pk]
Sent: Tuesday, September 18, 2001 2:32 PM
To: Ferris, Thomas M; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: Re: New worm? 'readme.eml'

> What would be a good solution for this, or is there an exact plan of
> attack to defend against this?

Yes, stop the outgoing smtp connections to the following mail servers

omega.serpro.gov.br (161.148.173.118)
server1.sans.org (167.216.133.33 )
smtp.china.com (61.135.144.88)
perninha.conectiva.com.br (200.250.58.156)
phuck.nether.net (204.42.254.5)
mx.ideal.ru (212.69.101.252)
tarkin.fdt.net (209.212.128.45)

The worm tries to send mail to these mail servers.

> Thanks in Advance.
>
> ================
> Thomas M. Ferris
> IA - Incident Response
> NMCI San Diego NOC
> ================
>
>
> -----Original Message-----
> From: JKruser [mailto:jkruser@adelphia.net]
> Sent: Tuesday, September 18, 2001 10:07
> To: Pedro Miller Rabinovitch; forensics@securityfocus.com
> Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
> Subject: RE: New worm? 'readme.eml'
>
>
> I also see a very serious possibility of this work interacting with the
> still prevalent sircam virus. Nimda, when it infects, opens share drives
> on
> the infected PC...Sircam will scan for open shares on an internal
> network or
> cable subnet and infect the remote PC without user interaction. This
> could
> effectively increase the spread of sircam exponentially and, due to the
> remailing capability of sircam, could shut down mail servers in a short
> period of time.
>
> I have not verified this possibility but it sounds feasible.
>
> Claymore
> the unprofound
>
>

Relevant Pages

  • RE: New worm? readme.eml
    ... Subject: New worm? ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... the infected PC...Sircam will scan for open shares on an internal ...
    (Focus-IDS)
  • Re: New worm? readme.eml
    ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-IDS)
  • Re: New worm? readme.eml
    ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-Microsoft)
  • RE: New worm? readme.eml
    ... Subject: New worm? ... known and surely nasties away from your web server. ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-IDS)
  • Re: [Full-Disclosure] MyDoom download info
    ... variant of the Nachi worm which attempts to cleanse computers infected by ... MyDoom and download Microsoft security patches to unprotected computers ... Once it infects target machines the worm attempts to search and ... The scanning traffic generated by the original Nachi worm in August ...
    (Full-Disclosure)