I have been following the recent new explosion of what appears to be a new nimda variant. It may be a variant of sorts, possibly using some new Unicode tricks, but the result and the name of the game is the same. There are two boxes close to our public range that are whacking our perimeter all day long. Address range is owned by AT&T. AT&T Internet Fax Trial (NETBLK-ATTFAX-225) ATTFAX-225 The tcpdump capture on the hosts transactions are the same as nimda, in fact if you look around on the compromised boxes, you'll see the same files in the same directories. A little more probing (opening an infected file) would introduce a virus onto your system, flagged by an Enterprise Scanner as being the virus nimda. Same face different day. <sigh> When will they learn? Robert Buckley Security Administration Synapse Group, Inc. Four High Ridge Park Stamford, CT 06905 (203) 614-3279 (phone) ***************************************************************** The information in this transmission is privileged and confidential and is intended only for the recipient(s) listed above. If you have received this transmission in error, please notify the sender immediately by E-mail and delete the original message. ***************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 11:58:02 PST