Re: nimda tries to send mail after reboot

["Paul Seaman" <paul.seaman () accesscomm ca>]

That particular host also was apparent in analyses of the QAZ trojan -
http://www.sans.org/infosecFAQ/malicious/QAZ3.htm

I would assume it's been long since disconnected from the network it was a
part of.  Could this worm have re-used code or is the writer that out of
touch with reality?

Paul

----- Original Message -----
From: "John Q. Public" <tpublic () dimensional com>
To: <incidents () securityfocus com>; <bugtraq () securityfocus com>
Sent: Tuesday, September 18, 2001 1:32 PM
Subject: Re: nimda tries to send mail after reboot


> here I go replying to myself again...
>
> we cannot get it to send mail to a dummy host we have built.  It connects
> and sits there.  if nimda is waiting for a particular response, it's not
> obvious in the strings of the binary.  (and not obvious to someone who
> fears assembly)
>
> one interesting point, however, the infected host immediately began
sending
> out arp requests to the /24 broadcast one at a time, about 3 seconds
between
> each request, from 1 all the way up.  it was keen enough to ignore itself.
> perhaps we'll set up some virtual interfaces on the gateway we've built
and
> see what it's trying to do.
>
> .nhoJ
>
> On Tue, 18 Sep 2001, John Q. Public wrote:
>
> |always to the same IP:  202.106.185.107
> |
> |sorry if it's been posted, but I haven't seen anything about that
particular
> |IP yet.
> |
> |the address appears unreachable (was hoping for an answer to identify
itself)
> |
> |.nhoJ
> |
> |__
> |
> |from APNIC:
> |
> |inetnum:     202.106.0.0 - 202.106.255.255
> |netname:     CHINANET-BJ
> |descr:       CHINANET Beijing province network
> |descr:       Data Communication Division
> |descr:       China Telecom
> |country:     CN
> |admin-c:     CH93-AP
> |tech-c:      SY21-AP
> |mnt-by:      MAINT-CHINANET
> |mnt-lower:   MAINT-CHINANET-BJ
> |changed:     hostmaster () ns chinanet cn net 20000101
> |source:      APNIC
> |
> |person:      Chinanet Hostmaster
> |address:     A12,Xin-Jie-Kou-Wai Street
> |country:     CN
> |phone:       +86-10-62370437
> |fax-no:      +86-10-62053995
> |e-mail:      hostmaster () ns chinanet cn net
> |nic-hdl:     CH93-AP
> |mnt-by:      MAINT-CHINANET
> |changed:     hostmaster () ns chinanet cn net 20000101
> |source:      APNIC
> |
> |person:      sun ying
> |address:     Beijing Telecommunication Administration
> |address:     TaiPingHu DongLi 18, Xicheng District
> |address:     Beijing 100031
> |country:     CN
> |phone:       +86-10-66198941
> |fax-no:      +86-10-68511003
> |e-mail:      suny () publicf bta net cn
> |nic-hdl:     SY21-AP
> |mnt-by:      MAINT-CHINANET-BJ
> |changed:     suny () publicf bta net cn 19980824
> |source:      APNIC
> |
> |
> |
|---------------------------------------------------------------------------
-
> |This list is provided by the SecurityFocus ARIS analyzer service.
> |For more information on this free incident handling, management
> |and tracking system please see: http://aris.securityfocus.com
> |
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com