Its not a nimda variant, its the old nimda.

[Robert Buckley <rbuckley () synapsemail com>]

I have been following the recent new explosion of what appears to be a new
nimda variant.
It may be a variant of sorts, possibly using some new Unicode tricks, but
the result and the name of the game is the same.
There are two boxes close to our public range that are whacking our
perimeter all day long.
Address range is owned by AT&T. 
AT&T Internet Fax Trial (NETBLK-ATTFAX-225) ATTFAX-225 
The tcpdump capture on the hosts transactions are the same as nimda, in fact
if you look around on the compromised boxes, you'll see the same files in
the same directories. A little more probing (opening an infected file) would
introduce a virus onto your system, flagged by an Enterprise Scanner as
being the virus nimda.

Same face different day. <sigh> When will they learn?



Robert Buckley
Security Administration
Synapse Group, Inc.
Four High Ridge Park
Stamford, CT 06905
(203) 614-3279 (phone)
*****************************************************************
The information in this transmission is privileged and
confidential and is intended only for the recipient(s) listed
above.  If you have received this transmission in error, please
notify the sender immediately by E-mail and delete the 
original message.
*****************************************************************






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com