[Snort-users] Nimda in action

Travis Farmer travis5765 at ...125...
Wed Sep 19 09:13:02 EDT 2001

Ahh, now i see why my replies where not getting to the group.
The TO was sending my reply directly to Franki (sorry for filling your 

Anyway, I thought i may have been infected but now i'm not sure.
When i went to the page, it autoloaded readme.eml .
Strangely though, it tried to "play" it with windows media player that 
responded with invalid media file. I can only assume it stopped proccess of 
the file at that point.

To be on the safe side though, i have checked and re-checked my system to 
compair it to the system changes noted in the symantec report.
I don't seem to match any of them. At this moment anyway.

I have a copy of the worm stored on a Linux system in case any of you want a 
copy for study. It was found in my internet temp folder.

A look at the file with Pico (text editor packaged with Pine) showes it 
really is a email file (windows saves emails as *.eml).
the top of the file is as such;
MIME-Version: 1.0
Content-Type: multipart/related;
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Content-Type: multipart/alternative;
>Content-Type: text/html;
>	charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
>Content-Type: audio/x-wav;
>	name="readme.exe"
>Content-Transfer-Encoding: base64
>Content-ID: <EA4DMGBP9p>
<snip good old base64 encoded worm>


Header stuff was preceeded with a ">" because the snort-users mail server 
thought the text was an actual attachment header. Needless to say, i got a 
message back from the server.


>From: "Franki" <frankieh at ...2806...>
>Reply-To: <frankieh at ...2806...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Nimda in action
>Date: Wed, 19 Sep 2001 19:39:43 +0800
>MIME-Version: 1.0
>Received: from [] by hotmail.com (3.2) with ESMTP id 
>MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 -0700
>Received: from localhost ([] helo=usw-sf-list1.sourceforge.net)by 
>usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 
>15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700
>Received: from [] (helo=freddie.vianet.net.au)by 
>usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 
>15jfpO-00066y-00for <snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001 
>04:47:42 -0700
>Received: from laptop (per2-46.vianet.net.au [])by 
>freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for 
><snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001 19:47:37 +0800
>From snort-users-admin at lists.sourceforge.net Wed, 19 Sep 2001 04:53:48 
>Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh at ...2806...>
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
>Importance: Normal
>In-Reply-To: <a05100300b7ce249dea7f@[]>
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
>Sender: snort-users-admin at lists.sourceforge.net
>Errors-To: snort-users-admin at lists.sourceforge.net
>X-BeenThere: snort-users at lists.sourceforge.net
>X-Mailman-Version: 2.0.5
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>
>List-Post: <mailto:snort-users at lists.sourceforge.net>
><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! 
><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <https://lists.sourceforge.net/archives//snort-users/>
>X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800
>if anyone wants to see nimda in action (and you haven't already.)
>try going to this site..
>whatever you do, don't run the readme.exe file....(assuming you are on
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

More information about the Snort-users mailing list