Re: nimda tries to send mail after reboot

From: John Q. Public (tpublicat_private)
Date: Tue Sep 18 2001 - 12:32:01 PDT

Next message: Peter Kruse: "SV: New worm behavior ?"

Previous message: bugtraq: "New worm segfaults apache"
In reply to: John Q. Public: "nimda tries to send mail after reboot"
Next in thread: Paul Seaman: "Re: nimda tries to send mail after reboot"
Reply: Paul Seaman: "Re: nimda tries to send mail after reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

here I go replying to myself again...

we cannot get it to send mail to a dummy host we have built.  It connects
and sits there.  if nimda is waiting for a particular response, it's not
obvious in the strings of the binary.  (and not obvious to someone who
fears assembly)

one interesting point, however, the infected host immediately began sending
out arp requests to the /24 broadcast one at a time, about 3 seconds between
each request, from 1 all the way up.  it was keen enough to ignore itself.
perhaps we'll set up some virtual interfaces on the gateway we've built and
see what it's trying to do.

.nhoJ

On Tue, 18 Sep 2001, John Q. Public wrote:

|always to the same IP:  202.106.185.107
|
|sorry if it's been posted, but I haven't seen anything about that particular
|IP yet.
|
|the address appears unreachable (was hoping for an answer to identify itself)
|
|.nhoJ
|
|__
|
|from APNIC:
|
|inetnum:     202.106.0.0 - 202.106.255.255
|netname:     CHINANET-BJ
|descr:       CHINANET Beijing province network
|descr:       Data Communication Division
|descr:       China Telecom
|country:     CN
|admin-c:     CH93-AP
|tech-c:      SY21-AP
|mnt-by:      MAINT-CHINANET
|mnt-lower:   MAINT-CHINANET-BJ
|changed:     hostmasterat_private 20000101
|source:      APNIC
|
|person:      Chinanet Hostmaster
|address:     A12,Xin-Jie-Kou-Wai Street
|country:     CN
|phone:       +86-10-62370437
|fax-no:      +86-10-62053995
|e-mail:      hostmasterat_private
|nic-hdl:     CH93-AP
|mnt-by:      MAINT-CHINANET
|changed:     hostmasterat_private 20000101
|source:      APNIC
|
|person:      sun ying
|address:     Beijing Telecommunication Administration
|address:     TaiPingHu DongLi 18, Xicheng District
|address:     Beijing 100031
|country:     CN
|phone:       +86-10-66198941
|fax-no:      +86-10-68511003
|e-mail:      sunyat_private
|nic-hdl:     SY21-AP
|mnt-by:      MAINT-CHINANET-BJ
|changed:     sunyat_private 19980824
|source:      APNIC
|
|
|
|----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management 
|and tracking system please see: http://aris.securityfocus.com
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Peter Kruse: "SV: New worm behavior ?"
Previous message: bugtraq: "New worm segfaults apache"
In reply to: John Q. Public: "nimda tries to send mail after reboot"
Next in thread: Paul Seaman: "Re: nimda tries to send mail after reboot"
Reply: Paul Seaman: "Re: nimda tries to send mail after reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:32:09 PDT