That particular host also was apparent in analyses of the QAZ trojan - http://www.sans.org/infosecFAQ/malicious/QAZ3.htm I would assume it's been long since disconnected from the network it was a part of. Could this worm have re-used code or is the writer that out of touch with reality? Paul ----- Original Message ----- From: "John Q. Public" <tpublicat_private> To: <incidentsat_private>; <bugtraqat_private> Sent: Tuesday, September 18, 2001 1:32 PM Subject: Re: nimda tries to send mail after reboot > here I go replying to myself again... > > we cannot get it to send mail to a dummy host we have built. It connects > and sits there. if nimda is waiting for a particular response, it's not > obvious in the strings of the binary. (and not obvious to someone who > fears assembly) > > one interesting point, however, the infected host immediately began sending > out arp requests to the /24 broadcast one at a time, about 3 seconds between > each request, from 1 all the way up. it was keen enough to ignore itself. > perhaps we'll set up some virtual interfaces on the gateway we've built and > see what it's trying to do. > > .nhoJ > > On Tue, 18 Sep 2001, John Q. Public wrote: > > |always to the same IP: 202.106.185.107 > | > |sorry if it's been posted, but I haven't seen anything about that particular > |IP yet. > | > |the address appears unreachable (was hoping for an answer to identify itself) > | > |.nhoJ > | > |__ > | > |from APNIC: > | > |inetnum: 202.106.0.0 - 202.106.255.255 > |netname: CHINANET-BJ > |descr: CHINANET Beijing province network > |descr: Data Communication Division > |descr: China Telecom > |country: CN > |admin-c: CH93-AP > |tech-c: SY21-AP > |mnt-by: MAINT-CHINANET > |mnt-lower: MAINT-CHINANET-BJ > |changed: hostmasterat_private 20000101 > |source: APNIC > | > |person: Chinanet Hostmaster > |address: A12,Xin-Jie-Kou-Wai Street > |country: CN > |phone: +86-10-62370437 > |fax-no: +86-10-62053995 > |e-mail: hostmasterat_private > |nic-hdl: CH93-AP > |mnt-by: MAINT-CHINANET > |changed: hostmasterat_private 20000101 > |source: APNIC > | > |person: sun ying > |address: Beijing Telecommunication Administration > |address: TaiPingHu DongLi 18, Xicheng District > |address: Beijing 100031 > |country: CN > |phone: +86-10-66198941 > |fax-no: +86-10-68511003 > |e-mail: sunyat_private > |nic-hdl: SY21-AP > |mnt-by: MAINT-CHINANET-BJ > |changed: sunyat_private 19980824 > |source: APNIC > | > | > | > |--------------------------------------------------------------------------- - > |This list is provided by the SecurityFocus ARIS analyzer service. > |For more information on this free incident handling, management > |and tracking system please see: http://aris.securityfocus.com > | > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 17:27:40 PDT