RE: Protecting Home Machines

["Jonathan Pesce" <jpesce () delta-nine net>]

In experiences with that particular virus, is that when the company I work
was infected with it, our 2000+ host network was saturated with it, all the
infected machines opened port 707.  If you find that all the infected
machines are all opening one specific port, then you could try blocking that
port with an ACL.  Once that machine is infected, it floods the network with
ICMP packets, depending on how your topology is setup, and the number of
hosts you could disable ICMP to try and contain the broadcast storm that
this will cause.

Hope I could be of some help.

- Jon 


-----Original Message-----
From: Sys Sec [mailto:syssec () sysigsa com] 
Sent: Friday, November 21, 2003 2:08 AM
To: security-basics () securityfocus com
Subject: Protecting Home Machines

Hi Cherian

The NACHI.A worm usually arrives as DLLHOST.EXE (~10,240 bytes) on target
systems. It also opens ports between port 666 to port 765 for its malicious
routines. 

Propagation

Similar to the earlier MSBLAST worm variants, this malware also exploits the
RPC DCOM Buffer Overflow

Please visit
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.A

You can download a microsoft scan to view if your system is vulnerable:
(You can test it after you patch)
http://www.microsoft.com/downloads/details.aspx?FamilyId=13AE421B-7BAB-41A2-
843B-FAD838FE472E&displaylang=en

When you patch the system I recommend that you install a firewall in your
machine.
I recommend Sygate Personal Firewall

http://smb.sygate.com/free/default.php

-----Mensaje original-----
De: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com]
Enviado el: jueves 20 de noviembre de 2003 20:23
Para: security-basics () securityfocus com
Asunto: Protecting Home Machines



I have a remote user whose laptop was severely infected by the trojans
MSBLAST & WiNSHOW.A.

I reinstalled the OS on the machine following a complete reformat, and
installed an anti-virus with the latest update. I ran a complete scan on the
machine prior to shipping the machine back to the user.

However as soon as the user took back the machine home, he was infected by
another worm (NACHI.A) within a few minutes of connecting to the internet
through his high speed cable modem. He swears that he had not downloaded
anything nor tried any removable media on this machine.

Following a bit of research on the matter, I am now aware that it is
possible for machines to get infected on the fly especially through
unprotected home internet connections.

The question is, "What do I do to prevent such occurrences which have
increased of late."

My thanks in advance for any thoughts or words of advise. 


CP


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------