Is this just a different form of the worm?
or
Should I assume there is another zombie in the company?
Kind Regards,
Chris
I'm having the same exact problem right now on my Exchange 2003
server. They are all coming from ser...@paypal.com or postmaster.
Did you ever find a solution to this? It sure could save me a lot of
time if you'd post your solution.
Thank you and best regards,
Stephen
On Sep 18, 11:31 pm, Stevens <Stevens...@gmail.com> wrote:
> 3 weeks ago, a client's SBS2003 w/Exchange SP2 got an NDR attack.
> When we noticed it, no thanks to Symantec, ESM queue was over 120,000
> messages, eating up 1MB per minute from the C: partion. It got down
> to only 700MB free space, wheew... we stopped it. Enabled filtering
> so only authenticated users could send messages using the smtp
> server. Last Thursday, an attack happened again spoofed as from:
> serv...@paypal.com, leading us to believe it must be a zombie in our
> network. I had all the in house and remote employees run online
> OneCare scans. Got a call from a remote user using Outlook 2003 via
> POP access and using the server as the outgoing server. OneCare
> discovered worm:win32/nuwar.f@m, trojan:win32/vxidl.gen!da,
> trojan:win32/tibs.den!b, and trojan:win32/tibs.dk. I've been reading
> up on the Nuwar war, I have yet to find reference to the "Nuwar.F@m"
> virus, or Nuwar showing up as serv...@paypal.com. Plus many of the AV
> sites tell me that Nuwar sets up its own smtp server, not that it uses
> the existing server. The MS Malware Protection just says it is a mass-
> mailer, duh. I just wish to find out if it could be using the SMTP
> server from Exchange, and if any occuraces have been detected using