Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nimda Poison Pill

From: Thor () HammerofGod com
Date: Wed, 19 Sep 2001 13:27:01 -0700
I have no means of testing this, but if Blaine's suggestion works, this
should do it.

This simple executable will instantiate a mutex handle called
'fsdhqherwqi2001' and wait for you to hit q to quit.
It would be interesting to know if this actually works.

I originally named it mutex.ex_, but was given the finger by both servers.
It is now a password protected zip file.  Password is "zip."   It should run
on any win32.  Standard user assumption of risk disclaimers apply.

Later.
---------------------------------
Attonbitus Deus

rm -rf /bin/laden
----- Original Message -----
From: "Blaine Kubesh" <bkubesh () cisco com>
To: <incidents () securityfocus com>
Cc: <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>
Sent: Wednesday, September 19, 2001 12:26 PM
Subject: Nimda Poison Pill



After disassembling readme.exe and stepping through execution, it is
possible to make Minda think it is already loaded and quit.

If a named Mutex is already created with name "fsdhqherwqi2001", the virus
will exit, preventing activation and further infection. This was tested in
one configuration and works. I dont see any reason why it would not work
with the other launch methods.

A quick program can be written to create this mutex, however it needs to

be

re-run after each reboot of the system. It is also important that the

mutex

is created before Minda can activate. This might come in handy for systems
that cannot be easily patched and are prone to reinfection.

-BK


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Attachment: mutex.zip
Description: 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: