[Dshield] How Nimda writer sent it?

Coxe, John B. JOHN.B.COXE at saic.com
Thu Mar 6 19:56:01 GMT 2003

Sending using the mail client has fallen somewhat out of favor over using a
simple SMTP engine in the worm itself to send using DNS.  Address books and
other sources of addresses are still exploited.  For the ones that did/do
use Outlook (primary example), that client is used regardless of the vector
of the infection.  If you pop mail from another ISP or read webmail on
hotmail or yahoo, it still exploits your desktop Outlook when launched.  How
it does this is well documented and probably inappropriate to discuss in
detail here.  As for the structure of the email dispatched by the worm, it
is crafted by the worm itself and not generally using the mail client.  In
fact, some exploits of MIME headers would be impossible otherwise.

-----Original Message-----
From: sasa s [mailto:compu81baby at yahoo.com]
Sent: Thursday, March 06, 2003 10:11 AM
To: list at dshield.org
Subject: [Dshield] How Nimda writer sent it?


How can any worm writer (as the Nimda writer) send his worm 

through mail client?

i.e. as for Nimda:

(If the Nimda sender was using his hotmail account 2 send his 


the attachment is an exe 

Content-Type: audio/x-wav;

did he use the "add attachment" button 2 attach his exe? 
if so then how did the writer make it seem to be "x-wav"?
Did he use ordinary mail client ?
or how did he send the Nimda?

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, and more
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list