Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Nimda.amm: anecdotal symptoms

From: Justin Hahn <jeh () profitlogic com>
Date: Tue, 18 Sep 2001 13:55:12 -0400
A couple things I seem to be seeing:

Infected hosts do what appears to be a netscan. Infected hosts produce an
INSANE amount of ARP traffic. Also I'm keying on the following file
searches:

mmc.exe
*.eml
root.exe

So far I seem to be finding the infected machines. Can anyone else out there
confirm the ARP traffic correlation?

----
Justin Hahn              ProfitLogic
jhahn () profitlogic com    11 Cambridge Center
Systems Administrator    Cambridge, MA 02142
o: 617-218-1986          www.profitlogic.com
m: 617-501-2743
f: 617-218-1901
 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: