Here are some hypotheses being posted at MacFixIt.com regarding this. Because the email attachments are exe files, it is not possible to infect a Mac which does not have some Windows emulation abilities installed. The infected files would be within the emulation software and not in the Mac OS native apps. Therefore it is not possible that Outlook Express (or Entourage) for the Mac directly sent the infected emails. I believe that the hypothesess offered below are the most likely. Zora Excerpt from MacFixIt.com, Friday, Sept. 21 Nimda worm and the Mac: a follow-up Regarding yesterday's discussion of effects of the nimda virus on a Mac, we received several replies. Bottom line: This is one nasty virus/worm. Here are the highlights: Brian Marshall writes (generally confirming what Dave Taylor wrote yesterday): "I work at an ISP that has been monitoring our systems for users that are infected with this virus. We have been sniffing for the sequence in all http requests: '.exe?/c+dir.' When the sniffer sees an IP that appears to be passing this sequence it sends a report to us we alert the customer. So far we have seen more then a dozen of these reports 'orginating' from Mac users. We were obviously a bit confused by this at first but then we determined that for some reason the Mac's were 'bouncing' these requests back to the orginating IP so we are not only seeing the original request but we are seeing the bounce from the Mac. While it isn't causing any problem for the Mac it is very annoying." David Cardillo adds these thoughts about Dave Taylor's experience: "Information about this can be found on Symantec's page on the Nimda virus: 'The worm begins the mass-mailing routine by first searching for email addresses. The worm searches for email addresses in .htm and .html files on the local system. The worm also uses MAPI to iterate through all messages that are contained in any MAPI-compliant email clients. Any MAPI supporting email clients may be affected including Microsoft Outlook and Outlook Express. The worm uses these email address for the To: and the From: addresses. Thus, the From: addresses will not be from the infected user.' What that means is, not only does the virus use its own SMTP server to send itself to every email address on your system (in your address book or not, so yes, that includes every address in all those forwarding headers all your friends don't delete before the latest e-chain message), but it forges the 'From:' field to appear to be from some random person in that list. What I suspect has happened is that when the virus left the system of the person who sent it out, the virus picked Dave's address to spoof as the From: header." Kee Hinckley contends: "When Nimda sends email, it uses as the return address random addresses from the address book of the infected host. If you are seeing bounces, it's because someone who has you in their address book is infected. So when you get a Nimda virus email, you should check the Received headers to see what machine it actually came from. You'll want to use a standard spam-tracking facility for that, something like http://www.spamwatcher.com/ or http://www.spamcop.net/). Nimda has no effect on a Mac. The only way it can impact a Mac user is if you were using Dave to export a share to someone who was infected, in which case your exported files could become corrupted, but not dangerous to you." Rob Darko offers another hypothesis: "I believe the reason why Dave Taylor's address was used is probably because the original message he got was sent using receipt confirmation. Once he opened the message, Outlook sent a receipt confirmation and the infected computer that originally sent it now knows that it has a valid email address and can then send email using that name as the sender. The second person that had the network drive indicated he had DAVE. It may be that the infected PCs have access to the same network drive and are assaulting the drive even while he is trying to clean it up." > > I recived a mail from a Mac user that claimed that Nimda has infected > Macs and started to distribute the worm via mail. The user refered to a > post at http://www.xlr8yourmac.com where Mike Breeden claims that his > Mac was infected. How is this possible? I can understand that the IE for > Mac has the same MIME bug as the one for Windows, but how could Nimda > start an SMTP engine for Windows on a Mac to distribute mail? > > On all the lists and sites that I have read about Nimda not a single one > mentions Mac as a potentiell target. > What is true? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 13:17:45 PDT