[Snort-users] hmm...nimda RICHED20.DLL alarms

Roberto Suarez Soto robe at ...3881...
Tue Jan 22 00:40:05 EST 2002


On Jan/22, fluid wrote:

> i am getting some of these every day from work (seemingly when users are
> running Office applications). It is the same set of machines every
> day...always attacking the same destination server. scans of the server are
> picking up nothing with any antivirus package i find, and the same is true
> of the workstations.

	I've seen these too. They seem to appear in inofensive and
well-checked networks. I've seen a few nimda .nws and nimda .eml alerts too,
from the same hosts that the RICHED20.DLL came; they all have been checked for
virus, and none was found.

	So, if someone knows something about this, I'm pretty much interested
too :-)

-- 
Roberto Suarez Soto					Alfa21 Outsourcing
    robe at ...3881...				     http://www.alfa21.com




More information about the Snort-users mailing list