RE: New worm? 'readme.eml'

From: Guy Fighel (GuyF@xpert.com)
Date: 09/20/01 

Message-ID: <EB513E68D3F5D41191CA000255588101484361@mailserv.xpert.com>
From: Guy Fighel <GuyF@xpert.com>
To: 'Duane Waddle' <waddle1@us.ibm.com>, "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
Subject: RE: New worm? 'readme.eml'
Date: Thu, 20 Sep 2001 09:05:08 +0300

Following is the full files list:

xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe, arp.exe,
edlin.exe, ping.exe, route.exe, at.exe, finger.exe, posix.exe, rsh.exe
atsvc.exe qbasic.exe runonce.exe syskey.exe cacls.exe ipconfig.exe, rcp.exe,
secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, regedt32.exe, regedit.exe,
edit.com, netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe,
nslookup.exe, tftp.exe, command.com.

The worm doesn't use all of the above files but I think those files should
be protected anyway...

Guy.

-----Original Message-----
From: Duane Waddle [mailto:waddle1@us.ibm.com]
Sent: Wednesday, September 19, 2001 4:38 PM
To: McCammon, Keith
Cc: focus-ids@securityfocus.com; focus-ms@securityfocus.com;
forensics@securityfocus.com; JKruser; Pedro Miller Rabinovitch; 'Ferris,
Thomas M'
Subject: RE: New worm? 'readme.eml'

Another handy trick is to take cmd.exe, tftp.exe, ftp.exe (and a whole host
of others -- does anyone have an authoritative list?) out of
winnt\system32, and put them somewhere else, like c:\foo\bar, and ACL the
snot out of it, without using the local 'administrators' group. Make a
group, called 'bob' for instance, and put your local admin acct(s), and any
one else who should have to have access to these (on a webserver, that
should be a short list). This way the 'LocalSystem' account does not have
access to these tools - if it even finds them in the 1st place.

Hope this helps.

--D

Duane Waddle
waddle1@us.ibm.com
"With sufficient thrust, pigs fly just fine..." -- RFC1925

 

                    "McCammon, Keith"

                    <Keith.McCammon@eadvan To: "'Ferris, Thomas
M'" <Thomas.Ferris@nmci-isf.com>,
                    cemed.com> JKruser
<jkruser@adelphia.net>, Pedro Miller Rabinovitch
                                                  <pedro@cipher.com.br>,
forensics@securityfocus.com
                    09/18/01 04:33 PM cc:
focus-ms@securityfocus.com,
 
focus-ids@securityfocus.com
                                                 Subject: RE: New worm?
'readme.eml'
 

 

 

There are a few things that you can do to mitigate risk:

1) Patch. Then patch again. This will keep out most of the nasties most
of
the time.

2) Configure your firewall to inspect http if possible and drop on common
strings such as */cmd.exe*, *root.exe*, *.dll*, etc. This keeps most of
the
known and surely nasties away from your web server.

3) Ensure that router ACLs and firewall rules are configured correctly to
drop un-established requests from your web servers to the internet. In the
event that numbers one and two both fail (not very likely in a case like
this), your server will be hosed, but at least you won't pollute the rest
of
the world with the worm.

Hardly comprehensive, but it's a start!

Keith

-----Original Message-----
From: Ferris, Thomas M [mailto:Thomas.Ferris@nmci-isf.com]
Sent: Tuesday, September 18, 2001 1:52 PM
To: JKruser; Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

What would be a good solution for this, or is there an exact plan of
attack to defend against this?

Thanks in Advance.

================
Thomas M. Ferris
IA - Incident Response
NMCI San Diego NOC
================

-----Original Message-----
From: JKruser [mailto:jkruser@adelphia.net]
Sent: Tuesday, September 18, 2001 10:07
To: Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

I also see a very serious possibility of this work interacting with the
still prevalent sircam virus. Nimda, when it infects, opens share drives
on
the infected PC...Sircam will scan for open shares on an internal
network or
cable subnet and infect the remote PC without user interaction. This
could
effectively increase the spread of sircam exponentially and, due to the
remailing capability of sircam, could shut down mail servers in a short
period of time.

I have not verified this possibility but it sounds feasible.

Claymore
the unprofound

Relevant Pages

  • RE: New worm? readme.eml
    ... Subject: New worm? ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... the infected PC...Sircam will scan for open shares on an internal ...
    (Focus-IDS)
  • RE: New worm? readme.eml
    ... Subject: New worm? ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-IDS)
  • RE: New worm? readme.eml
    ... Subject: New worm? ... known and surely nasties away from your web server. ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-Microsoft)
  • Re: New worm? readme.eml
    ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-IDS)
  • Re: New worm? readme.eml
    ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-Microsoft)