Re: Well, this is reassuring...

Thu, 20 Sep 2001 04:53:35 -0700 

FYI, SANS probably did not send that message at all, read the following
excerpt from Symantec's write up of the Nimda virus:

"The worm begins the mass-mailing routine by first searching for email
addresses. The worm searches for email addresses in .htm and .html files
on the local system. The worm also uses MAPI to iterate through messages
in the Inbox of email clients. Any MAPI supporting email clients may be
affected including Microsoft Outlook and Outlook Express. The worm uses
these email address for the To: and the From: addresses. Thus, the From:
addresses will not be from the infected user. "

Heidi Pilewski
Windows Systems Administrator
Software Engineering Institute
[EMAIL PROTECTED]
                     
Greg Page wrote:
> 
> It's not a rumor, it's what happened. That this e-mail got to one of their
> people and propagated is disturbing. Antigen caught it at my GW and didn't
> send it anywhere. What's there excuse?
> 
> Greg
> 
> -----Original Message-----
> From: Dean Cunningham [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 19, 2001 9:19 PM
> To: NT System Admin Issues
> Subject: RE: Well, this is reassuring...
> 
> Careful before spreading such a rumor, the detecters may well be
> oversensiitve at this point. McAffee did the same to me *because* a guy had
> posted to the mailing lust and email containing  a portion of the
> javascript. I would suggest considering the source of teh messaging being
> blocked, that it is like they the message was benign and they too had a
> portion of code in it that set the alarm bells off.
> 
> regards
> Dean
> 
> -----Original Message-----
> From: Greg Page [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 20 September 2001 12:49 p.m.
> To: NT System Admin Issues
> Subject: Well, this is reassuring...
> 
> Antigen for Exchange found readme.exe infected with JScript/Nimda.A.Worm
> (CA(InoculateIT)) worm. The message is currently Purged.  The message, "SANS
> NewsBites Vol. 3 Num. 38", was sent from The SANS Institute  and was
> discovered in IMC Queues\Inbound located at ORGANIZATION/SITE-1/ALEXAPP001.
> 
> Greg
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> ***************************************************
> This e-mail is  not an  official  statement of  the
> Waikato  Regional  Council unless otherwise stated.
> Visit our website http://www.ew.govt.nz
> ***************************************************
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to