Hi Tony. I don't think it is a new variant, as I had always seen the spoofed Mail From: field in any Nimda mailing I have seen. I have also seen another wave of default.ida attempts recently -- just in time to test the new IDS. Steve Manzuik Secure Solutions www.securesolutions.org > -----Original Message----- > From: Bradley, Tony [mailto:tony.bradleyat_private] > Sent: Thursday, March 07, 2002 12:48 PM > To: 'incidentsat_private' > Subject: New Nimda? > > > The ideas and opinions expressed in this email do not in any > way reflect or represent the opinions of my employer... > > Has anyone been seeing any new variation of Nimda? From my > research Nimda was alleged to be able to spoof the "from" > address in its mass-mailing propagation, but I was under the > impression that piece was not functional. > > Twice in the last week I have seen blank messages with the > Sample.exe file attachment that are picked up by all major > anti-virus software as Nimda, but the from address was > spoofed. The systems that were alleged to have propagated the > virus checked out clean and did not send any email during the > timeframe that the recipients got the infected messages. > > It seems as if someone has fixed that spoofing functionality > but I can't find any evidence of an officially recognized new > variant. Has anyone else seen something similar or have any > more information on Nimda spoofing the email address? > > > Tony Bradley, MCSE, MCSA, MCP, A+ > Threat & Vulnerability Monitor > Electronic Data Systems > > "The price of success is hard work, dedication to the job at > hand, and the determination that whether we win or lose, we > have applied the best of ourselves to the task at hand." ~ > Vince Lombardi ~ > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 19:42:10 PST