Re: Funlove virus attacking Print ques
From: Exibar (exibar@THELAIR.COM)Date: 02/05/02
- Previous message: Timothy Johnson: "Critical Update disables Exchange Admin"
- Maybe in reply to: McDaniel, Tom: "Funlove virus attacking Print ques"
- Next in thread: Jagh, Kevin (TGA/MLOL): "Re: Funlove virus attacking Print ques"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Feb 2002 14:06:49 -0500 From: Exibar <exibar@THELAIR.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I have a honeypot machine setup on each major subnet on my network that
basically does a "net sessions" every 10 Minutes, pipes that output to a log
file, parses the log file, performs an "NBTSTAT -A" on the machine name,
then e-mails me the results if any machine attempts to connect to it. When
I parse the log file, I remove any machines that are supposed to attempt
connections within the company.
What this gives me is an accurate representation of what machines are
infected with Funlove, or Nimda. Sessions expire every 10 minutes, so you
don't want to run that program less than 10 minutes apart, you'll get dupes.
If I receive a connection attempt report back from a machine, I shut off
the network switch port that the machine is connected to then send a
technician over to clean the machine and to ensure that any and all shares
are either read only, require authentication to connect to, or are removed
completely.
Some of the Anti-Virus vendors will say that an OS re-install is needed
on NT machines in order to completely remove the virus and to reverse the
Administrator with no password modification that FunLove makes. This is not
true. If you clean the machine, perform a HARD poweroff (not just a
restart), then re-install service pack 6a, your machine will be back to
normal.
Michael P. Blanchard
GIAC, MCSE, MCP+internet
Lead Anti-Virus Engineer
EMC˛ Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Timothy Johnson: "Critical Update disables Exchange Admin"
- Maybe in reply to: McDaniel, Tom: "Funlove virus attacking Print ques"
- Next in thread: Jagh, Kevin (TGA/MLOL): "Re: Funlove virus attacking Print ques"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
