Security Incidents mailing list archives
RE: nimda tries to send mail after reboot
From: Jim Forster <jforster () rapidnet com>
Date: Tue, 18 Sep 2001 20:47:20 -0600 (MDT)
I got a few copies of this worm (via e-mail) this afternoon. Sadly, someone else in the office did as well (or hit an infected site). It's going to be a long week.... Side Note: The 'client fix' posted to a few lists earlier does not work. There are changes made to wordpad that don't go away, and it still attempts to call them when running it. (The riched20.dll) I've got one test box up now I'm working with - in hopes there is a cleaner for the client systems soon. <The shared directory on this box was FULL of copies of the worm> Jim Forster Network Administrator RapidNet, A Golden West Company ------------------------------- On Tue, 18 Sep 2001, Don Weber wrote:
I personally have rcvd it twice today, and a number of people in my company have rcvd it at least once, both times i rcvd it, it was from a dif email address Don -----Original Message----- From: Brett Glass [mailto:brett () lariat org] Sent: Tuesday, September 18, 2001 3:40 PM To: John Q. Public; incidents () securityfocus com; bugtraq () securityfocus com Subject: Re: nimda tries to send mail after reboot We have a filter on our e-mail server; it's designed to catch attachments with (among other things) the name "readme.exe". (We actually had this in place before Nimda/Code Rainbow began to run rampant; another worm sends an attachment with the same name.) So far, we haven't caught a single Code Rainbow/Nimda e-mail. This is odd, because we are constantly receiving (and blocking) other e-mail worms. Has anyone received Nimda/Code Rainbow in the mail? Is it possible that the worm's e-mailing code is broken? (I sure hope so.) --Brett At 01:32 PM 9/18/2001, John Q. Public wrote:here I go replying to myself again... we cannot get it to send mail to a dummy host we have built. It connects and sits there. if nimda is waiting for a particular response, it's not obvious in the strings of the binary. (and not obvious to someone who fears assembly)---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nimda tries to send mail after reboot John Q. Public (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- Re: nimda tries to send mail after reboot Paul Seaman (Sep 18)
- Message not available
- Re: nimda tries to send mail after reboot Brett Glass (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- RE: nimda tries to send mail after reboot Don Weber (Sep 18)
- RE: nimda tries to send mail after reboot Jim Forster (Sep 18)
- Re: nimda tries to send mail after reboot Brett Glass (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- <Possible follow-ups>
- Re: nimda tries to send mail after reboot Brett Glass (Sep 19)
- RE: nimda tries to send mail after reboot Lists (Sep 19)
- Re: nimda tries to send mail after reboot Michael H. Warfield (Sep 19)
- RE: nimda tries to send mail after reboot Andrew Mulholland (Sep 19)