That is the behavior of Nimda. It arrives as an email virus or from an infected web site, then creates a backdoor for others to attack the server. Many newer virus/worms attempt to connect to particular hosts on the internet after infection. These have normally been detected and stopped because of this behavior as no ISP wants to be blacklisted because it hosts the destination of worms. -----Original Message----- From: David Carmean [mailto:dlcat_private] Sent: Sun February 24 2002 14:15 To: incidentsat_private Subject: Virus/trojan tunnel out from behind firewall? Greetings. New to the list; have looked through a few months of the archives and hadn't seen this come up: Have there been any cases of a trojan/virus/etc tunnelling out from behind a firewall and thus providing an attacker a way into the "chewy center"? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 13:46:35 PST