[Esd-l] Fw: New Virus/Worm email

John D. Hardin jhardin at impsec.org
Tue Sep 18 21:14:01 PDT 2001


On Tue, 18 Sep 2001, Jeffrey S. Gavin wrote:

> I've read that this particular worm (W32.Nimda.A at mm) will try to
> download itself when a user visits a compromised web server.  More info
> can be found at:
> 
> http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

I posted this to the dshield mailing list. Here it is if anyone finds it useful...


Squid ACLs to hopefully prevent this attack on your users:

In /etc/squid.conf:

   acl POISONEDURL  url_regex -i "/etc/squid/URL-Blacklist"
   http_access deny POISONEDURL

In /etc/squid/URL-Blacklist:

   readme.exe$
   readme.eml$
   /admin.dll
   /winnt/system32/

Whenever URL-Blacklist changes, poke squid with "squid -k reconfigure"


NB: The firewall protecting my company's Class C was logging three to
five attacks *per second* this afternoon. It's not logging them any
longer, as the system load was simply too much for that little box.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at impsec.org        pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
-----------------------------------------------------------------------
   1141 days until the Presidential Election



More information about the esd-l mailing list