Security Incidents mailing list archives

Re: Concept Virus(CV) V.5 - Quick analysis update

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Tue, 18 Sep 2001 21:46:19 -0400

On Tue, Sep 18, 2001 at 08:05:50PM -0400, Homer Wilson Smith wrote:

    If any one has the proper entries in the apache 1.3.20
config file to block the gets to Admin.dll, root.exe and cmd.exe,
I would appreciate knowing about them.  Been playing with
<FilesMatch> and <DirectoryMatch> but they only seem to work
IF the directory path actually exists on the machine.

    We are being swamped here.


        Huh???

        What are you trying to accomplish?  If you don't have them,
you are going to return an error and nothing you can configure in
Apache will prevent the worm from requesting them.  How, exactly,
to do you propose to "block them"?  The "mod_telpathy" module has
not even made it to alpha test, so how are you going to detect and
block the requests before they are made?

    Homer

------------------------------------------------------------------------
Homer Wilson Smith   Clean Air, Clear Water,  Art Matrix - Lightlink
(607) 277-0959       A Green Earth and Peace. Internet Access, Ithaca NY
homer () lightlink com  Is that too much to ask? http://www.lightlink.com


        [...]

More infectation routes:

The worm, upon infecting a new host, goes through all the
shared directories and their subdirecories and plants the
following files in each dir:

sample.nws
sample.eml
desktop.eml
desktop.nws


        This is through network shares and drives.

        [...]

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Concept Virus(CV) V.5 - Advisory and Quick analysis Olle Segerdahl (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
  - A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
  - Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
    - Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
    - Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
  - Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- <Possible follow-ups>
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)