Nuwar Worm using SBS 2003 Exchange SMTP- NDR Attack - service@paypal.com
Stevens
3 weeks ago, a client's SBS2003 w/Exchange SP2 got an NDR attack.
When we noticed it, no thanks to Symantec, ESM queue was over 120,000
messages, eating up 1MB per minute from the C: partion. It got down
to only 700MB free space, wheew... we stopped it. Enabled filtering
so only authenticated users could send messages using the smtp
server. Last Thursday, an attack happened again spoofed as from:
ser...@paypal.com, leading us to believe it must be a zombie in our
network. I had all the in house and remote employees run online
OneCare scans. Got a call from a remote user using Outlook 2003 via
POP access and using the server as the outgoing server. OneCare
discovered worm:win32/nuwar.f@m, trojan:win32/vxidl.gen!da,
trojan:win32/tibs.den!b, and trojan:win32/tibs.dk. I've been reading
up on the Nuwar war, I have yet to find reference to the "Nuwar.F@m"
virus, or Nuwar showing up as ser...@paypal.com. Plus many of the AV
sites tell me that Nuwar sets up its own smtp server, not that it uses
the existing server. The MS Malware Protection just says it is a mass-
mailer, duh. I just wish to find out if it could be using the SMTP
server from Exchange, and if any occuraces have been detected using
ser...@paypal.com.
Is this just a different form of the worm?
or
Should I assume there is another zombie in the company?
Kind Regards,
Chris
Stephen
I'm having the same exact problem right now on my Exchange 2003
server. They are all coming from ser...@paypal.com or postmaster.
Did you ever find a solution to this? It sure could save me a lot of
time if you'd post your solution.
Thank you and best regards,
Stephen
On Sep 18, 11:31 pm, Stevens <Stevens...@gmail.com> wrote:
> 3 weeks ago, a client's SBS2003 w/Exchange SP2 got an NDR attack.
> When we noticed it, no thanks to Symantec, ESM queue was over 120,000
> messages, eating up 1MB per minute from the C: partion. It got down
> to only 700MB free space, wheew... we stopped it. Enabled filtering
> so only authenticated users could send messages using the smtp
> server. Last Thursday, an attack happened again spoofed as from:
> serv...@paypal.com, leading us to believe it must be a zombie in our
> network. I had all the in house and remote employees run online
> OneCare scans. Got a call from a remote user using Outlook 2003 via
> POP access and using the server as the outgoing server. OneCare
> discovered worm:win32/nuwar.f@m, trojan:win32/vxidl.gen!da,
> trojan:win32/tibs.den!b, and trojan:win32/tibs.dk. I've been reading
> up on the Nuwar war, I have yet to find reference to the "Nuwar.F@m"
> virus, or Nuwar showing up as serv...@paypal.com. Plus many of the AV
> sites tell me that Nuwar sets up its own smtp server, not that it uses
> the existing server. The MS Malware Protection just says it is a mass-
> mailer, duh. I just wish to find out if it could be using the SMTP
> server from Exchange, and if any occuraces have been detected using