RE: nimda tries to send mail after reboot

["Don Weber" <Don () AirLink com>]

I personally have rcvd it twice today, and a number of people in my company
have rcvd it at least once, both times i rcvd it, it was from a dif email
address

Don


-----Original Message-----
From: Brett Glass [mailto:brett () lariat org]
Sent: Tuesday, September 18, 2001 3:40 PM
To: John Q. Public; incidents () securityfocus com;
bugtraq () securityfocus com
Subject: Re: nimda tries to send mail after reboot


We have a filter on our e-mail server; it's designed to catch
attachments with (among other things) the name "readme.exe".
(We actually had this in place before Nimda/Code Rainbow
began to run rampant; another worm sends an attachment with
the same name.)

So far, we haven't caught a single Code Rainbow/Nimda e-mail.
This is odd, because we are constantly receiving (and blocking)
other e-mail worms.

Has anyone received Nimda/Code Rainbow in the mail? Is it possible
that the worm's e-mailing code is broken? (I sure hope so.)

--Brett

At 01:32 PM 9/18/2001, John Q. Public wrote:

> here I go replying to myself again...
>
> we cannot get it to send mail to a dummy host we have built.  It connects
> and sits there.  if nimda is waiting for a particular response, it's not
> obvious in the strings of the binary.  (and not obvious to someone who
> fears assembly)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com