From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Tue Oct 30 2001 - 10:51:13 PST
Hi Pete,
In the message "[Security]: I suppose this is another new virus",
dated 2001-10-30, Pete Goodeve wrote:
>I got a couple of copies of this today. Don't know if it's novel
>...
>This [HTML segment] was followed by a base64 attachment, labelled as:
>
> Content-Type: audio/x-wav;
> name="sample.exe"
> Content-Transfer-Encoding: base64
Roger Rosenblum today forwarded a message from anti-virus vendor
Kaspersky Labs, which noted that there are already five variants of
the original Nimda worm. One of these, Nimda.e, sends an attached
file named SAMPLE.EXE:
>This is recompiled "Nimda" variant with several subroutines fixed and
>optimized. This variant was found in-the-wild at the end of October 2001.
>The visible differences with original worm version are:
>
>The attached file name: SAMPLE.EXE (instead of README.EXE)
>The DLL files are: HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL)
...
Symantec's description of Nimda.e is at:
http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html
and indicates that the Norton AntiVirus Virus Definitions of October
29, 2001 (i.e. yesterday) now identify this Nimda variant.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the Micronet Web site at <http://wss.berkeley.edu/micronet/>.
This archive was generated by hypermail 2b29 : Tue Oct 30 2001 - 10:52:12 PST