NAME
====
  Nimda.E
        + PE_NIMDA.E (TrendMicro)
        + W32.Nimda.E@mm (Symantec)


EXPERIMENTAL TYPE
=================
  Retrieval Behavior - includes retrieval packets only.


EXPERIMENTAL ENVIRONMENT
========================

   131.113.1.1                  131.113.1.2
  +-----------+                +-----+-----+
  | Infected  |                | Targeted  |
  |    PC     |                |    PC     |
  |  (*1)(*2) |                |           |
  +-----+-----+                +-----+-----+
        |                            |
  ------+----------------------------+------
  131.113.1.0/31

  (*1) Windows 2000 Server on VMware
  (*2) Default Route = 131.113.1.2


PCAP SUMMARY
============

Total: 50896  START: 1 0.000000
-----------------
445/TCP;139/TCP;: 60
  1253 54.541017 131.113.1.1 131.113.53.66 TCP 1764 > 445 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
  1254 54.542056 131.113.1.1 131.113.53.66 TCP 1765 > 139 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
-----------------
445/TCP;139/TCP;80/TCP;: 4
  10071 422.054909 131.113.1.1 131.113.26.172 TCP 2292 > 445 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
  10072 422.055207 131.113.1.1 131.113.26.172 TCP 2293 > 139 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
  21142 890.056526 131.113.1.1 131.113.26.172 TCP 3953 > 80 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
-----------------
80/TCP;: 24747
  1 0.000000 131.113.1.1 166.30.202.79 TCP 1029 > 80 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
-----------------
80/TCP;445/TCP;139/TCP;: 8
  8235 345.079806 131.113.1.1 131.113.112.149 TCP 1368 > 80 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
  46338 1948.606540 131.113.1.1 131.113.112.149 TCP 4797 > 445 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 
  46339 1948.606739 131.113.1.1 131.113.112.149 TCP 4798 > 139 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460