Re: Cyberkit signature

[Andrew.Patrick () kemperservices com]

> Nachi puts out a 92 byte ICMP type 0 (echo request) packet with a 64 byte
> payload of "a"'s.

Nachi sends out ICMP Type 8, Code 0 packets (echo request).  Clients that
answer it will be sending ICMP Type 0, Code 0 (echo reply).  These replies
WILL also have the string of "aaaaaaa" in the payload, but seeing a reply
does not prove that the system replying is infected.  Try to filter on the
ICMP Type 8, Code 0 combo AND the "aaaaaa"s in the content...

Andy Patrick, GCIA, CCNA
Sr. Info. Security Analyst
x3621






DISCLAIMER:
This communication, along with any documents, files or attachments, is intended only for the use of the addressee and 
may contain legally privileged and confidential information. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of any information contained in or attached to this 
communication is strictly prohibited. If you have received this message in error, please notify the sender immediately 
and destroy the original communication and its attachments without reading, printing or saving in any manner. This 
communication does not form any contractual obligation on behalf of the sender or, the sender's employer, or the 
employer's parent company, affiliates or subsidiaries.