Actually, I have a theory that this wasn't intended to travel via email by itself. At least I have not seen any of our infected test boxes send any email out. I believe the intent of the *.eml files are to take advantage of outlook's autoexecute "features" but I'm not sure why that is being used locally. You'd think keeping them all .exe would be sufficient. .nhoJ On Tue, 18 Sep 2001, Brett Glass wrote: |Date: Tue, 18 Sep 2001 16:40:08 -0600 |From: Brett Glass <brettat_private> |To: John Q. Public <tpublicat_private>, incidentsat_private, bugtraqat_private |Subject: Re: nimda tries to send mail after reboot | |We have a filter on our e-mail server; it's designed to catch |attachments with (among other things) the name "readme.exe". |(We actually had this in place before Nimda/Code Rainbow |began to run rampant; another worm sends an attachment with |the same name.) | |So far, we haven't caught a single Code Rainbow/Nimda e-mail. |This is odd, because we are constantly receiving (and blocking) |other e-mail worms. | |Has anyone received Nimda/Code Rainbow in the mail? Is it possible |that the worm's e-mailing code is broken? (I sure hope so.) | |--Brett | |At 01:32 PM 9/18/2001, John Q. Public wrote: | |>here I go replying to myself again... |> |>we cannot get it to send mail to a dummy host we have built. It connects |>and sits there. if nimda is waiting for a particular response, it's not |>obvious in the strings of the binary. (and not obvious to someone who |>fears assembly) | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 17:32:07 PDT