Re: NIMDA Virus

From: Eric Anderson (anderson@centtech.com)
Date: 09/18/01


Date: Tue, 18 Sep 2001 16:35:54 -0500
From: Eric Anderson <anderson@centtech.com>
To: "Derek O'Flynn" <derekoflynn@hotmail.com>

I must be stupid. How DO you go about doing that? I need to do that too..

Here is some info from a friend about the content of Nimda:
------------------------------------------------------
> There's a new worm hammering networks via email, via open shares,
> and via vulnerable web servers.
>
> Propagation via email can be stopped with:
>
> /etc/postfix/main.cf:
> body_checks = regexp:/etc/postfix/body_checks
>
> /etc/postfix/body_checks:
> /^[SPACE TAB]*name=.*\.exe/ REJECT
>
> Inside the [] are one space and one tab.
>
> This is also a reminder that Postfix needs decent MIME parsing
> support so it can filter this sort of malware more effectively.
>
> Wietse
>
> The worm's MIME headers, with spaces inserted to avoid false alarms.
>
> - - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
> C o n t e n t - T y p e : m u l t i p a r t / a l t e r n a t i v e ;
> b o u n d a r y = " = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = "
>
> - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = =
> C o n t e n t - T y p e : t e x t / h t m l ;
> c h a r s e t = " i s o - 8 8 5 9 - 1 "
> C o n t e n t - T r a n s f e r - E n c o d i n g : q u o t e d - p r i n t a b l e
>
> < H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f >
> < i f r a m e s r c = 3 D c i d : E A 4 D M G B P 9 p h e i g h t = 3 D 0 w i d t h = 3 D 0 >
> < / i f r a m e > < / B O D Y > < / H T M L >
> - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = - -
>
> - - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
> C o n t e n t - T y p e : a u d i o / x - w a v ;
> n a m e = " r e a d m e . e x e "
> C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
> C o n t e n t - I D : < E A 4 D M G B P 9 p >

Derek O'Flynn wrote:
>
> Has anyone successfully written a rule for snort to alert to this?
>
> I'm currently running snort 1.8 with flex-resp.
>
> I would like to have a rule that identifies the attacks and then sends the
> tcp_rst command so that the worm can't infect new machines. I have the
> information for the rule, just need to know what to put in the content field
> to verify that it is nimda.
>
> Thanks,
> Derek O'Flynn
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
-------------------------------------------------------------------------------
Eric Anderson	 anderson@centtech.com    Centaur Technology    (512) 418-5792
Truth is more marvelous than mystery.
-------------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message