Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nimda in action

From: "Travis Farmer" <travis5765 () hotmail com>
Date: Wed, 19 Sep 2001 12:12:03 -0400
Ahh, now i see why my replies where not getting to the group.
The TO was sending my reply directly to Franki (sorry for filling your inbox). 

Anyway, I thought i may have been infected but now i'm not sure.
When i went to the page, it autoloaded readme.eml .
Strangely though, it tried to "play" it with windows media player that responded with invalid media file. I can only assume it stopped proccess of the file at that point.
To be on the safe side though, i have checked and re-checked my system to compair it to the system changes noted in the symantec report. 
I don't seem to match any of them. At this moment anyway.
I have a copy of the worm stored on a Linux system in case any of you want a copy for study. It was found in my internet temp folder.
A look at the file with Pico (text editor packaged with Pine) showes it really is a email file (windows saves emails as *.eml). 
the top of the file is as such;
-----------------------
MIME-Version: 1.0
Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
        boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====

Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====

Content-Type: audio/x-wav;
        name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>


<snip good old base64 encoded worm>



--====_ABC1234567890DEF_====

-----------------------
Header stuff was preceeded with a ">" because the snort-users mail server thought the text was an actual attachment header. Needless to say, i got a message back from the server. 

~Travis


From: "Franki" <frankieh () vianet net au>
Reply-To: <frankieh () vianet net au>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Nimda in action
Date: Wed, 19 Sep 2001 19:39:43 +0800
MIME-Version: 1.0
Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 -0700 Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700 Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 15jfpO-00066y-00for <snort-users () lists sourceforge net>; Wed, 19 Sep 2001 04:47:42 -0700 Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for <snort-users () lists sourceforge net>; Wed, 19 Sep 2001 19:47:37 +0800 From snort-users-admin () lists sourceforge net Wed, 19 Sep 2001 04:53:48 -0700 
Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh () vianet net au>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: snort-users-admin () lists sourceforge net
Errors-To: snort-users-admin () lists sourceforge net
X-BeenThere: snort-users () lists sourceforge net
X-Mailman-Version: 2.0.5
Precedence: bulk
List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> 
List-Archive: <https://lists.sourceforge.net/archives//snort-users/>
X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800


if anyone wants to see nimda in action (and you haven't already.)

try going to this site..

http://203-236-233-27.rev.nextel.co.kr/

whatever you do, don't run the readme.exe file....(assuming you are on
windows..)

rgds

Frank


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: