RE: New worm? 'readme.eml'

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 09/18/01 

Message-ID: <BB7FD4FF9E440648A731452E5D341FB0654596@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'Ferris, Thomas M'" <Thomas.Ferris@nmci-isf.com>, JKruser <jkruser@adelphia.net>, Pedro Miller Rabinovitch <pedro@cipher.com.br>, forensics@securityfocus.com
Subject: RE: New worm? 'readme.eml'
Date: Tue, 18 Sep 2001 17:33:41 -0400

There are a few things that you can do to mitigate risk:

1) Patch. Then patch again. This will keep out most of the nasties most of
the time.

2) Configure your firewall to inspect http if possible and drop on common
strings such as */cmd.exe*, *root.exe*, *.dll*, etc. This keeps most of the
known and surely nasties away from your web server.

3) Ensure that router ACLs and firewall rules are configured correctly to
drop un-established requests from your web servers to the internet. In the
event that numbers one and two both fail (not very likely in a case like
this), your server will be hosed, but at least you won't pollute the rest of
the world with the worm.

Hardly comprehensive, but it's a start!

Keith

-----Original Message-----
From: Ferris, Thomas M [mailto:Thomas.Ferris@nmci-isf.com]
Sent: Tuesday, September 18, 2001 1:52 PM
To: JKruser; Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

What would be a good solution for this, or is there an exact plan of
attack to defend against this?

Thanks in Advance.

================
Thomas M. Ferris
IA - Incident Response
NMCI San Diego NOC
================

-----Original Message-----
From: JKruser [mailto:jkruser@adelphia.net]
Sent: Tuesday, September 18, 2001 10:07
To: Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

I also see a very serious possibility of this work interacting with the
still prevalent sircam virus. Nimda, when it infects, opens share drives
on
the infected PC...Sircam will scan for open shares on an internal
network or
cable subnet and infect the remote PC without user interaction. This
could
effectively increase the spread of sircam exponentially and, due to the
remailing capability of sircam, could shut down mail servers in a short
period of time.

I have not verified this possibility but it sounds feasible.

Claymore
the unprofound

Relevant Pages

  • RE: New worm? readme.eml
    ... Subject: New worm? ... Then patch again. ... known and surely nasties away from your web server. ... Nimda, when it infects, opens share drives ...
    (Focus-Microsoft)
  • RE: New worm? readme.eml
    ... Subject: New worm? ... known and surely nasties away from your web server. ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-IDS)
  • RE: New worm? readme.eml
    ... Subject: New worm? ... known and surely nasties away from your web server. ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-Microsoft)
  • RE: CR II - winME? confirmation? (Slightly OT)
    ... and obviously a web server of some sort must be running, the worm propagates ... IIS) - are these possible hosts for the CR worm? ...
    (Vuln-Dev)
  • Re: preventing username enumeration on NT4
    ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
    (comp.security.misc)