Re: [Exim] Nimda Worm

Top Page
Delete this message
Reply to this message
Author: John W Baxter
Date:  
To: exim-users
Subject: Re: [Exim] Nimda Worm
At 20:11 +0100 9/19/2001, Mark Baker wrote:
>How does it work anyway? Surely any half decent MUA will pass audio/x-wav
>attachments to a .wav player; there can't be that many people who would save
>an attachment to disc and then double-click on it.


We're talking specifically about Outlook (and Outlook Express?) (see "half
decent MUA" above). And we're talking about files inside an audio/x-wav
part, but which are .exe. They get executed, without the user having an
opportunity to decide about saving to disk, executing, or discarding. At
least, that's how I read the Symantec website's description of this thing.

Because they are "hiding" in an inappropriate MIME part, they got through
the virus filtering on University of Washington's CSE department's Exchange
server (according to one of our staff who gets some of his mail there).
Sigh...they actually trusted a virus writer to be honest in the MIME part
headers?

The same staff member also mentioned that Sophos being driven by code of
his own blocked Nimda fine (we haven't put that into production yet...and
may switch to exiscan to drive it).

We aren't seeing many copies of this thing so far (for the moment, I'm just
freezing so that I get to look at the messages...I haven't frozen anything
but test messages).

  --John
-- 
John Baxter   jwblist@???      Port Ludlow, WA, USA