Security Incidents mailing list archives
Nimda.amm: anecdotal symptoms
From: Justin Hahn <jeh () profitlogic com>
Date: Tue, 18 Sep 2001 13:55:12 -0400
A couple things I seem to be seeing: Infected hosts do what appears to be a netscan. Infected hosts produce an INSANE amount of ARP traffic. Also I'm keying on the following file searches: mmc.exe *.eml root.exe So far I seem to be finding the infected machines. Can anyone else out there confirm the ARP traffic correlation? ---- Justin Hahn ProfitLogic jhahn () profitlogic com 11 Cambridge Center Systems Administrator Cambridge, MA 02142 o: 617-218-1986 www.profitlogic.com m: 617-501-2743 f: 617-218-1901 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda.amm: anecdotal symptoms Justin Hahn (Sep 18)