Full Disclosure mailing list archives

Re: New Worm in the wild

From: malware () t-online de (Michael Mueller)
Date: Tue, 19 Aug 2003 17:35:15 +0200

Hi dbtrino,

you wrote:

we see a lot of ping traffic and have a lot of users who report of mails
with attachements ~74KB which have not been send by the 'sender'.


The ping traffic might be caused by a worm name W32/Nachi by NAI. See
http://vil.nai.com/vil/content/v_100559.htm .
It does use the DCOM RPC hole and a flaw in IIS/5.0 as reported in
http://www.securityfocus.com/bid/7735/info/

The mails match the report of W32/Sobig.f@MM, see
http://vil.nai.com/vil/content/v_100561.htm


Michael
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

New Worm in the wild dbtrino2 (Aug 19)
- Re: New Worm in the wild Andreas Gietl (Aug 19)
- Re: New Worm in the wild Andy (Aug 19)
- Re: New Worm in the wild Michael Mueller (Aug 19)
- Re: New Worm in the wild martin f krafft (Aug 19)
  - New Worm in the wild Geo. (Aug 19)
  - Re: Re: New Worm in the wild CHeeKY (Aug 19)
- <Possible follow-ups>
- RE: New Worm in the wild Johnson, Mark (Aug 19)
- Re: New Worm in the wild r1an (Aug 19)
- RE: New Worm in the wild Rainer Gerhards (Aug 19)