Re: Nimda on Mac?

[Zora Monster <Zoramon () Mac com>]

Here are some hypotheses being posted at MacFixIt.com regarding this.

Because the email attachments are exe files, it is not possible to infect a
Mac which does not have some Windows emulation abilities installed.  The
infected files would be within the emulation software and not in the Mac OS
native apps.  Therefore it is not possible that Outlook Express (or
Entourage) for the Mac directly sent the infected emails.  I believe that
the hypothesess offered below are the most likely.

Zora

Excerpt from MacFixIt.com, Friday, Sept. 21

Nimda worm and the Mac: a follow-up

Regarding yesterday's discussion of effects of the nimda virus on a Mac, we
received several replies. Bottom line: This is one nasty virus/worm. Here
are the highlights:


Brian Marshall writes (generally confirming what Dave Taylor wrote
yesterday): "I work at an ISP that has been monitoring our systems for users
that are infected with this virus. We have been sniffing for the sequence in
all http requests: '.exe?/c+dir.' When the sniffer sees an IP that appears
to be passing this sequence it sends a report to us we alert the customer.
So far we have seen more then a dozen of these reports 'orginating' from Mac
users. We were obviously a bit confused by this at first but then we
determined that for some reason the Mac's were 'bouncing' these requests
back to the orginating IP so we are not only seeing the original request but
we are seeing the bounce from the Mac. While it isn't causing any problem
for the Mac it is very annoying."

David Cardillo adds these thoughts about Dave Taylor's experience:
"Information about this can be found on Symantec's page on the Nimda virus:
'The worm begins the mass-mailing routine by first searching for email
addresses. The worm searches for email addresses in .htm and .html files on
the local system. The worm also uses MAPI to iterate through all messages
that are contained in any MAPI-compliant email clients. Any MAPI supporting
email clients may be affected including Microsoft Outlook and Outlook
Express. The worm uses these email address for the To: and the From:
addresses. Thus, the From: addresses will not be from the infected user.'
What that means is, not only does the virus use its own SMTP server to send
itself to every email address on your system (in your address book or not,
so yes, that includes every address in all those forwarding headers all your
friends don't delete before the latest e-chain message), but it forges the
'From:' field to appear to be from some random person in that list. What I
suspect has happened is that when the virus left the system of the person
who sent it out, the virus picked Dave's address to spoof as the From:
header."

Kee Hinckley contends: "When Nimda sends email, it uses as the return
address random addresses from the address book of the infected host. If you
are seeing bounces, it's because someone who has you in their address book
is infected. So when you get a Nimda virus email, you should check the
Received headers to see what machine it actually came from. You'll want to
use a standard spam-tracking facility for that, something like
http://www.spamwatcher.com/ or http://www.spamcop.net/). Nimda has no effect
on a Mac. The only way it can impact a Mac user is if you were using Dave to
export a share to someone who was infected, in which case your exported
files could become corrupted, but not dangerous to you."

Rob Darko offers another hypothesis: "I believe the reason why Dave Taylor's
address was used is probably because the original message he got was sent
using receipt confirmation. Once he opened the message, Outlook sent a
receipt confirmation and the infected computer that originally sent it now
knows that it has a valid email address and can then send email using that
name as the sender. The second person that had the network drive indicated
he had DAVE. It may be that the infected PCs have access to the same network
drive and are assaulting the drive even while he is trying to clean it up."


> I recived a mail from a Mac user that claimed that Nimda has infected
> Macs and started to distribute the worm via mail. The user refered to a
> post at http://www.xlr8yourmac.com where Mike Breeden claims that his
> Mac was infected. How is this possible? I can understand that the IE for
> Mac has the same MIME bug as the one for Windows, but how could Nimda
> start an SMTP engine for Windows on a Mac to distribute mail?
>
> On all the lists and sites that I have read about Nimda not a single one
> mentions Mac as a potentiell target.
> What is true?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com