RE: nimda tries to send mail after reboot
From: Jim Forster (jforster@rapidnet.com)Date: 09/19/01
- Previous message: Jonathan Rickman: "RE: Nimda Probes Stopped"
- In reply to: Don Weber: "RE: nimda tries to send mail after reboot"
- Next in thread: Brett Glass: "Re: nimda tries to send mail after reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Sep 2001 20:47:20 -0600 (MDT) From: Jim Forster <jforster@rapidnet.com> To: Don Weber <Don@AirLink.com> Subject: RE: nimda tries to send mail after reboot Message-ID: <Pine.BSF.4.21.0109182042480.76774-100000@rapidnet.com>
I got a few copies of this worm (via e-mail) this afternoon.
Sadly, someone else in the office did as well (or hit an infected site).
It's going to be a long week....
Side Note: The 'client fix' posted to a few lists earlier does not work.
There are changes made to wordpad that don't go away, and it still
attempts to call them when running it. (The riched20.dll)
I've got one test box up now I'm working with - in hopes there is a
cleaner for the client systems soon.
<The shared directory on this box was FULL of copies of the worm>
Jim Forster
Network Administrator
RapidNet, A Golden West Company
-------------------------------
On Tue, 18 Sep 2001, Don Weber wrote:
> I personally have rcvd it twice today, and a number of people in my company
> have rcvd it at least once, both times i rcvd it, it was from a dif email
> address
>
> Don
>
>
> -----Original Message-----
> From: Brett Glass [mailto:brett@lariat.org]
> Sent: Tuesday, September 18, 2001 3:40 PM
> To: John Q. Public; incidents@securityfocus.com;
> bugtraq@securityfocus.com
> Subject: Re: nimda tries to send mail after reboot
>
>
> We have a filter on our e-mail server; it's designed to catch
> attachments with (among other things) the name "readme.exe".
> (We actually had this in place before Nimda/Code Rainbow
> began to run rampant; another worm sends an attachment with
> the same name.)
>
> So far, we haven't caught a single Code Rainbow/Nimda e-mail.
> This is odd, because we are constantly receiving (and blocking)
> other e-mail worms.
>
> Has anyone received Nimda/Code Rainbow in the mail? Is it possible
> that the worm's e-mailing code is broken? (I sure hope so.)
>
> --Brett
>
> At 01:32 PM 9/18/2001, John Q. Public wrote:
>
> >here I go replying to myself again...
> >
> >we cannot get it to send mail to a dummy host we have built. It connects
> >and sits there. if nimda is waiting for a particular response, it's not
> >obvious in the strings of the binary. (and not obvious to someone who
> >fears assembly)
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jonathan Rickman: "RE: Nimda Probes Stopped"
- In reply to: Don Weber: "RE: nimda tries to send mail after reboot"
- Next in thread: Brett Glass: "Re: nimda tries to send mail after reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
