I got a few copies of this worm (via e-mail) this afternoon. Sadly, someone else in the office did as well (or hit an infected site). It's going to be a long week.... Side Note: The 'client fix' posted to a few lists earlier does not work. There are changes made to wordpad that don't go away, and it still attempts to call them when running it. (The riched20.dll) I've got one test box up now I'm working with - in hopes there is a cleaner for the client systems soon. <The shared directory on this box was FULL of copies of the worm> Jim Forster Network Administrator RapidNet, A Golden West Company ------------------------------- On Tue, 18 Sep 2001, Don Weber wrote: > I personally have rcvd it twice today, and a number of people in my company > have rcvd it at least once, both times i rcvd it, it was from a dif email > address > > Don > > > -----Original Message----- > From: Brett Glass [mailto:brettat_private] > Sent: Tuesday, September 18, 2001 3:40 PM > To: John Q. Public; incidentsat_private; > bugtraqat_private > Subject: Re: nimda tries to send mail after reboot > > > We have a filter on our e-mail server; it's designed to catch > attachments with (among other things) the name "readme.exe". > (We actually had this in place before Nimda/Code Rainbow > began to run rampant; another worm sends an attachment with > the same name.) > > So far, we haven't caught a single Code Rainbow/Nimda e-mail. > This is odd, because we are constantly receiving (and blocking) > other e-mail worms. > > Has anyone received Nimda/Code Rainbow in the mail? Is it possible > that the worm's e-mailing code is broken? (I sure hope so.) > > --Brett > > At 01:32 PM 9/18/2001, John Q. Public wrote: > > >here I go replying to myself again... > > > >we cannot get it to send mail to a dummy host we have built. It connects > >and sits there. if nimda is waiting for a particular response, it's not > >obvious in the strings of the binary. (and not obvious to someone who > >fears assembly) > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 21:56:12 PDT