RE: nimda tries to send mail after reboot

["Lists" <lists () acros si>]

Brett,

> Sadly, the copies of the worm we're receiving are coming from
> companies whose employees we'd expect to know better than to
> leave machines unprotected -- such as V-One and SCO.

It was noted before by someone, and witnessed by myself, that Nimda employs
spoofing of sender's address. Yesterday I received a Nimda copy that was *sent
by myself* (which of course raised my suspicion). A few minutes later I got a
reply from McAfee ASAP Support which is an auto-replying mailbox - apparently
Nimda sent itself to at least two addresses (but I'll assume there were more),
pretending to be me. So let's not assume someone has a badly secured machine
just because he/she is the apparent sender - more likely it means that someone
with the apparent sender's address in address book is a little behind on
security.

Regards,

Mitja Kolsek

ACROS, d.o.o.
Stantetova 4, SI - 2000 Maribor, Slovenia
web: http://www.acros.si
e-mail: mitja.kolsek () acros si


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com