RE: nimda tries to send mail after reboot

From: Jim Forster (jforster@rapidnet.com)
Date: 09/19/01


Date: Tue, 18 Sep 2001 20:47:20 -0600 (MDT)
From: Jim Forster <jforster@rapidnet.com>
To: Don Weber <Don@AirLink.com>
Subject: RE: nimda tries to send mail after reboot
Message-ID: <Pine.BSF.4.21.0109182042480.76774-100000@rapidnet.com>

I got a few copies of this worm (via e-mail) this afternoon.
Sadly, someone else in the office did as well (or hit an infected site).
It's going to be a long week....

Side Note: The 'client fix' posted to a few lists earlier does not work.
There are changes made to wordpad that don't go away, and it still
attempts to call them when running it. (The riched20.dll)
I've got one test box up now I'm working with - in hopes there is a
cleaner for the client systems soon.
<The shared directory on this box was FULL of copies of the worm>

Jim Forster
Network Administrator
RapidNet, A Golden West Company
-------------------------------

On Tue, 18 Sep 2001, Don Weber wrote:

> I personally have rcvd it twice today, and a number of people in my company
> have rcvd it at least once, both times i rcvd it, it was from a dif email
> address
>
> Don
>
>
> -----Original Message-----
> From: Brett Glass [mailto:brett@lariat.org]
> Sent: Tuesday, September 18, 2001 3:40 PM
> To: John Q. Public; incidents@securityfocus.com;
> bugtraq@securityfocus.com
> Subject: Re: nimda tries to send mail after reboot
>
>
> We have a filter on our e-mail server; it's designed to catch
> attachments with (among other things) the name "readme.exe".
> (We actually had this in place before Nimda/Code Rainbow
> began to run rampant; another worm sends an attachment with
> the same name.)
>
> So far, we haven't caught a single Code Rainbow/Nimda e-mail.
> This is odd, because we are constantly receiving (and blocking)
> other e-mail worms.
>
> Has anyone received Nimda/Code Rainbow in the mail? Is it possible
> that the worm's e-mailing code is broken? (I sure hope so.)
>
> --Brett
>
> At 01:32 PM 9/18/2001, John Q. Public wrote:
>
> >here I go replying to myself again...
> >
> >we cannot get it to send mail to a dummy host we have built. It connects
> >and sits there. if nimda is waiting for a particular response, it's not
> >obvious in the strings of the binary. (and not obvious to someone who
> >fears assembly)
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: W32.Badtrans.B@mm
    ... variant of the worm and/or that it mutates as it spreads. ... the lists of attachment file names posted by these ... >> This list is provided by the SecurityFocus ARIS analyzer service. ... >> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... > The worm is capable of retrieving filefrom a remote server - the ... > to data sent from infected machines. ... >> making the download executable available until the attack begins. ... >> has been added to our lists without your consent, ...
    (microsoft.public.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... > The worm is capable of retrieving filefrom a remote server - the ... > to data sent from infected machines. ... >> making the download executable available until the attack begins. ... >> has been added to our lists without your consent, ...
    (microsoft.public.inetserver.iis.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... > The worm is capable of retrieving filefrom a remote server - the ... > to data sent from infected machines. ... >> making the download executable available until the attack begins. ... >> has been added to our lists without your consent, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.windowsxp.security_admin)