Snort mailing list archives

Re: hmm...nimda RICHED20.DLL alarms

From: Roberto Suarez Soto <robe () alfa21 com>
Date: Tue, 22 Jan 2002 09:39:24 +0100

On Jan/22, fluid wrote:

i am getting some of these every day from work (seemingly when users are
running Office applications). It is the same set of machines every
day...always attacking the same destination server. scans of the server are
picking up nothing with any antivirus package i find, and the same is true
of the workstations.


        I've seen these too. They seem to appear in inofensive and
well-checked networks. I've seen a few nimda .nws and nimda .eml alerts too,
from the same hosts that the RICHED20.DLL came; they all have been checked for
virus, and none was found.

        So, if someone knows something about this, I'm pretty much interested
too :-)

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

hmm...nimda RICHED20.DLL alarms fluid (Jan 21)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)
  - Re: hmm...nimda RICHED20.DLL alarms Guillaume (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Rich Adamson (Jan 22)
- <Possible follow-ups>
- Re: hmm...nimda RICHED20.DLL alarms Ryan Drogo (Jan 22)
- RE: Re: hmm...nimda RICHED20.DLL alarms Ronneil Camara (Jan 22)
  - How to unsubscribe? Densin Roy. (Jan 24)
    - Re: How to unsubscribe? Edwin Eefting (Jan 24)
    - Re: How to unsubscribe? Densin Roy. (Jan 24)
    - Re: How to unsubscribe? Matt Kettler (Jan 24)