Re: nimda tries to send mail after reboot

["John Q. Public" <tpublic () dimensional com>]

Actually, I have a theory that this wasn't intended to travel via email by
itself.  At least I have not seen any of our infected test boxes send any
email out.  I believe the intent of the *.eml files are to take advantage of
outlook's autoexecute "features" but I'm not sure why that is being used
locally.  You'd think keeping them all .exe would be sufficient.

.nhoJ

On Tue, 18 Sep 2001, Brett Glass wrote:

|Date: Tue, 18 Sep 2001 16:40:08 -0600
|From: Brett Glass <brett () lariat org>
|To: John Q. Public <tpublic () dimensional com>, incidents () securityfocus com,
     bugtraq () securityfocus com
|Subject: Re: nimda tries to send mail after reboot
|
|We have a filter on our e-mail server; it's designed to catch
|attachments with (among other things) the name "readme.exe".
|(We actually had this in place before Nimda/Code Rainbow
|began to run rampant; another worm sends an attachment with
|the same name.)
|
|So far, we haven't caught a single Code Rainbow/Nimda e-mail.
|This is odd, because we are constantly receiving (and blocking)
|other e-mail worms.
|
|Has anyone received Nimda/Code Rainbow in the mail? Is it possible 
|that the worm's e-mailing code is broken? (I sure hope so.)
|
|--Brett
|
|At 01:32 PM 9/18/2001, John Q. Public wrote:
|  
|>here I go replying to myself again...
|>
|>we cannot get it to send mail to a dummy host we have built.  It connects
|>and sits there.  if nimda is waiting for a particular response, it's not
|>obvious in the strings of the binary.  (and not obvious to someone who
|>fears assembly)
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com