Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nimda on Mac?

From: Kee Hinckley <nazgul () somewhere com>
Date: Fri, 21 Sep 2001 12:24:47 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:22 PM +0200 9/21/01, johan.augustsson () adm gu se wrote:

I recived a mail from a Mac user that claimed that Nimda has infected
Macs and started to distribute the worm via mail. The user refered to a
post at http://www.xlr8yourmac.com where Mike Breeden claims that his
Mac was infected. How is this possible? I can understand that the IE for
Mac has the same MIME bug as the one for Windows, but how could Nimda
start an SMTP engine for Windows on a Mac to distribute mail?


There was a similar post on MacFixit to which I sent a correction 
this morning. What's happening is that people are receiving copies of 
bounced email that contains the Virus, so they think that they are 
infected.  In fact Nimda was using their email address as a forged 
return address because it was in the address book of someone who was 
infected.  I recommend that anyone who receives Nimda via email use a 
tool such as http://www.spamwatcher.com/ or http://www.spamcop.net/ 
to track down the actual sender's IP address (or just read the 
Received headers).  You can't rely on the UA-generated email headers.

Nimda *can* corrupt Macintosh files if the Macintosh exports a share 
(via a product such as Dave, which provides PC file sharing services 
for the Mac).  But those files won't execute on a Mac.

- -- 

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
nazgul () somewhere com (or ...!alice!nazgul for time travelers :-)

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBO6tp2yZsPfdw+r2CEQJb/ACbBFD014/fAjlnlA3QaxkeoUNPitkAn38Z
z1Z6Ywa+0cQ3ip1220GeCXqk
=xDu+
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: