Re: nimda tries to send mail after reboot

From: Michael H. Warfield (mhwat_private)
Date: Wed Sep 19 2001 - 14:22:00 PDT

Next message: Rob Quinn: "Re: MIME type of readme.eml (was Re: Web site infected by Nimda"

Previous message: Thorat_private: "Re: Nimda Poison Pill"
In reply to: Brett Glass: "Re: nimda tries to send mail after reboot"
Next in thread: Andrew Mulholland: "RE: nimda tries to send mail after reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 19, 2001 at 11:13:30AM -0600, Brett Glass wrote:
> Messages bearing the worm are starting to trickle in, slowly. It
> may be that the worm is designed to start e-mailing only after the
> infection is a certain number of hours old.

> Sadly, the copies of the worm we're receiving are coming from
> companies whose employees we'd expect to know better than to
> leave machines unprotected -- such as V-One and SCO.

	Make sure you know who you are throwing stones at.  The worm
is spoofing the From addresses.  I just got done researching a pile
of them because people reported one of our majordomo servers was sending
out the worm.  Considering that it was a Linux box, that would have been
a good trick.  Header analysis indicated one particular IP address we
had never heard of was sending out all the copies of the worm with
our majordomo server as the From address.  I got five copies of the
worm from five different sources and all of them tracked back to
one IP address and none of them had any headers indicating that the
message had been anywhere near our site.  Sigh...  Maybe it was
someone who had recently subscribed to one of our mailing lists or
something, but I can't find where we've ever even been in contact with
any address within that /16...

> I agree that it will be a very long week. None of our machines
> is susceptible to the worm, but our backbone feed is getting
> hammered. I wish we had a firewall under our control at our
> upstream provider.

> --Brett Glass

> At 11:08 AM 9/19/2001, jforsterat_private wrote:

> >I got a few copies of this worm (via e-mail) this afternoon.
> >Sadly, someone else in the office did as well (or hit an infected site).
> >It's going to be a long week....

	I know of several people who have been burned by browsing a
contaminated web site.  Then the damn thing drops it's turds all
over every directory and on all the network shares it can reach and
on and on...

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhwat_private
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Quinn: "Re: MIME type of readme.eml (was Re: Web site infected by Nimda"
Previous message: Thorat_private: "Re: Nimda Poison Pill"
In reply to: Brett Glass: "Re: nimda tries to send mail after reboot"
Next in thread: Andrew Mulholland: "RE: nimda tries to send mail after reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:59:29 PDT