Anybody else get a Nimda mail yet? - PenIs Forum

<script language="javascript1.1"="http://mediamgr.ugo.com:80/click.ng/params.richmedia=yes&UID=/web/penismightier.com/public_html/ubb/ubbcgi/cpanel2.cgisize=468x60&affiliate=penismight&channel=freestyle&subchannel=freestyle&Network=affiliates&rating=r"> <img src="http://mediamgr.ugo.com:80/image.ng/params.richmedia=yes&UID=/web/penismightier.com/public_html/ubb/ubbcgi/cpanel2.cgisize=468x60&affiliate=penismight&channel=freestyle&subchannel=freestyle&Network=affiliates&rating=r" border=0></a></noscript> work=affiliates&rating=r">

UBBFriend: Email This Page to Someone!

General Discussion

Anybody else get a Nimda mail yet?

profile | register | preferences | faq | search

next newest topic | next oldest topic

Author	Topic: Anybody else get a Nimda mail yet?
Jimbo 1 dr3w j00 4 p1ggy!	posted 09-19-2001 17:15 I got my first Nimda email today. Anybody else? IP: Logged
fenomas argument nazi	posted 09-19-2001 17:57 What do the mails look like? And do the web requests look like regular code red req's? IP: Logged
Jimbo 1 dr3w j00 4 p1ggy!	posted 09-19-2001 19:31 It has an HTML file that's supposed to be an URL linking directly to the README.EXE file, which is also attached. The HTML file (ATT00003.htm) is opened in an IFRAME by the html of the email message itself. On my machine, the IFRAME apparently failed to load. I'm about to run a full scan with new filters from housecall.antivirus.com to make absolutely sure, though. (edit: nope, IFRAME definitely didn't load. No infection.) If there's any interest in a copy of the HTML file which is supposed to load in the IFRAME, let me know and I'll post a copy of its source. Here's the source of the email itself: Return-Path: <chief@theautochannel.com> Received: from SLOTH (outbound.newtonian.com [208.33.19.254]) by mail2.xanatosgroup.com (Post.Office MTA v3.5.3 release 223 ID# 0-70105U1000L100S0V35) with SMTP id com for <jimbo@jimbosworld.org>; Wed, 19 Sep 2001 10:17:23 -0400 From: <chief@theautochannel.com> Subject: ware\Microsoft\Windo,b4 zbillpatty080901bill080301bill080101crentrybillpatty072401ian080901 jeff080901crentrysunengrspace080101bill071701bill080701joe080101bill patty072601bill071801bill080201p2bill072701a dam071901jeff080601hmmmm[1]hua072701joe071801hua072701 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> [This message has been edited by Jimbo (edited 09-19-2001).] edit: (sorry, I dont like the side scroll) [This message has been edited by Clme (edited 09-21-2001).] ADMINS: DO NOT EDIT THIS MESSAGE! You'll convert the < tags to < characters and reenable the IFRAME hijacking if you do. [This message has been edited by Jimbo (edited 09-21-2001).] IP: Logged
eod TREAT MERIGHT!	posted 09-19-2001 21:01 Heheheh I got one from chief@theautochannel.com also.. Uh oh.. We better stop talking about chief@theautochannel.com ASAP. IP: Logged
Snag Leaky Pen	posted 09-19-2001 23:36 Out of the silent planet, dreams of desolation... IP: Logged
Clme cake fiend	posted 09-20-2001 10:20 Interesting thing is that the person listed in the "sender" or "from" field may not be the real sender. In some cases it can pick a random name from your inbox and put that persons name in the "from" field. Fun! -Chris IP: Logged
jumper42 Frat Troll	posted 09-20-2001 20:00 damn nimda to HELL and all consultants from oracle! the company's firewall i work for was picking them off one by one, regular space invaders action. well the dumb ass broad from oracle brings in her laptop infected to holy hell and back. she cant get anything to work due to the error message "not enough system resources". well by the time i walk back to say something to the head cheese it seems that our storage server is full besides just having 10gigs free earlier. then it is just a lovely cascade effect from one server to the next. they next thing i know i am having a short little 16 hour day. yea me! IP: Logged
sloth469 unregistered	posted 09-20-2001 21:18 quote: Originally posted by Jimbo: Here's the source of the email itself: Return-Path: Received: from SLOTH I didn't send it to you, in fact I've never sent you an email, and as far as I know I don't have it. IP: Logged
Jimbo 1 dr3w j00 4 p1ggy!	posted 09-20-2001 22:05 Gotta love the retards man. "Oooh, 'readme.exe'! Gotta click that!" IP: Logged
grendelkhan Uber PenIs	posted 09-20-2001 22:24 And yet the same people who have their security set so low as to do this kind of crap, bitch and moan when MS raises their licensing fees. Make a deal with the devil and you get what you deserve. IP: Logged
Clme cake fiend	posted 09-21-2001 02:20 quote: Originally posted by sloth469: I didn't send it to you, in fact I've never sent you an email, and as far as I know I don't have it. You dont have to, but someone that has received an email from you, AND has emailed/received email from Jimbo before has. The person listed in the "From" section isn't necessarily the person who sent you the email. Some people at work recieved one from visiting a real estate website that had it listed in the "meta" section of the html file. However, thankfully our anti-virus caught it... but the real estate company still has the damn page up, despite numerous phone calls. We're betting they have code red too. -Chris *edited because I like cake. [This message has been edited by Clme (edited 09-21-2001).] IP: Logged
Jimbo 1 dr3w j00 4 p1ggy!	posted 09-21-2001 05:57 1. Clem, you retard, your "edit" chopped out significant sections of the code... the message wasn't really from SLOTH, SLOTH was a machine's network name. The X-REPLYTO was "chief@autochannel.com". Sloth, check your own IP and SMTP stuff. If you aren't associated with newtonian.com, it wasn't you. IP: Logged
Jimbo 1 dr3w j00 4 p1ggy!	posted 09-21-2001 06:00 Btw, speaking of "Clem you retard", what the hell does "the meta" have to do with getting shafted with a virus? DO beware of clicking suspicious "yes or no" buttons - or any other kind of buttons - on websites you don't really, really trust, though. IP: Logged
Clme cake fiend	posted 09-21-2001 19:17 Substitute "Incorrect Mime header" for meta. And also: Clem did not remove any code... he inserted hard returns Also: I've GOT to wonder about why someone would name a machine "sloth" IP: Logged

All times are PT (US)	next newest topic \| next oldest topic
Administrative Options: Close Topic \| Archive/Move \| Delete Topic
	Hop to:

Contact Us | Penismightier.com

Look out for the mexican. He knows where you hide your cake.

Powered by: Ultimate Bulletin Board, Version 5.44
© Infopop Corporation (formerly Madrona Park, Inc.), 1998 - 1999.

<script language="javascript1.1"="http://mediamgr.ugo.com:80/click.ng/params.richmedia=yes&UID=/web/penismightier.com/public_html/ubb/ubbcgi/cpanel2.cgisize=468x60&affiliate=penismight&channel=freestyle&subchannel=freestyle&Network=affiliates&rating=r"> <img src="http://mediamgr.ugo.com:80/image.ng/params.richmedia=yes&UID=/web/penismightier.com/public_html/ubb/ubbcgi/cpanel2.cgisize=468x60&affiliate=penismight&channel=freestyle&subchannel=freestyle&Network=affiliates&rating=r" border=0></a></noscript> work=affiliates&rating=r">