Nimba

From: Brian Murphy (bem9127@yahoo.com)
Date: 09/25/01

• Previous message: kawaii: "Exchange Attachments"
• Next in thread: Beauregard, Claude Q: "RE: Nimba"
• Reply: Beauregard, Claude Q: "RE: Nimba"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <20010925154259.26919.qmail@web12805.mail.yahoo.com>
Date: Tue, 25 Sep 2001 08:42:59 -0700 (PDT)
From: Brian Murphy <bem9127@yahoo.com>
Subject: Nimba 
To: focus-ms@securityfocus.com, focus-virus@securityfocus.com, bmurphy@carterbloodcare.org

Sorry guys. I am apologize for the late responses but
I had to shutdown email and internet access due to the
Nimba virus. I believe we were able to defeat the
virus over the weekend but I wanted to get everyone's
feedback on our resolution.

It is known that the virus spreads via the Win9x
clients using the "load.exe" executable appended to
the system.ini file.

To combat this we simply created an ACL list using
"config.pol" for the Default users. This ACL includes
any *.exe file we have determined is acceptable (this
was a big list). It took approximately two days to
debug the machines and come up with a good working
list. However, this prevents unwanted exe files
(load.exe, readme.exe, install.exe, setup.exe) from
running on the client PC's.

Next, we took advantage of the Sophos utility that can
be downloaded from their website. We modified the
login scripts to modify the "dosstart.bat". Example:

IF NOT EXIST C:VIRREMSwnimda.exe MKDIR C:VIRREM
IF NOT EXIST C:VIRREMSwnimda.exe copy
\servernamepublic$vuswnimda.exe c:virrem
copy \servernamepublicvudosstart.bat c:windows

Then....all the client has to do is click on START -
Shutdown - Restart in DOS Mode. By modifying the
dosstart.bat the swnimba utility will auto start.

On the email side we modified the filter to include
readme.exe and load.exe. We are filtering *.exe but
added this filter just to be safe.

Hope this helps.

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com

---

• Previous message: kawaii: "Exchange Attachments"
• Next in thread: Beauregard, Claude Q: "RE: Nimba"
• Reply: Beauregard, Claude Q: "RE: Nimba"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Cumlative Patch - Is this from MS? or Virus? ... concerned it may be a virus. ... Microsoft Customer ... eliminates all known security vulnerabilities affecting MS ... The action taken by the filter depends ... (microsoft.public.win2000.security) Re: OT: Inundated with bogus(?) warnings Im infected ... the "virus protection" was unavailable, ... My spam filter does an excellent job of filtering out ... but I haven't figured out quite how to filter them. ... Clemson University Math Sciences ... (Fedora) Re: Virus attack ... Bill Unruh wrote: ... What bugs me now is the number of invalid user and virus ... > Of course there are some stupid isps out there, who will filter out the ... - Doug. ... (comp.os.linux.networking) VIRUS ATTACHED to an Email FROM MICROSOFT ! ! ! ... >My Internet provider's server stripped the virus but I ... >this mail message. ... The action taken by the filter ... >The uncleanable file is deleted. ... (microsoft.public.security.virus) Re: Still getting TONS of SWEN and other virus emails.... ... by the virus on infected machines. ... incoming messages from other infected machines. ... >the full inbox and screen pops that mcafee does for each ... >that they had tried to filter out. ... (microsoft.public.security.virus)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2001-09