RE: Nimba

From: Beauregard, Claude Q (CQBeauregard@aaamichigan.com)
Date: 09/25/01 

Message-ID: <FFAA657EB698D311980900A0C9A80F8310C9BFDD@hob1s05.aaamich.net>
From: "Beauregard, Claude Q" <CQBeauregard@aaamichigan.com>
To: bmurphy@carterbloodcare.org, focus-ms@securityfocus.com, focus-virus@securityfocus.com
Subject: RE: Nimba 
Date: Tue, 25 Sep 2001 14:34:29 -0400

On a related matter what products would be best used to help mitigate the
damage done
by these types of worms. Finjan and eSafe SandboxII are two that I can think
of.

-----Original Message-----
From: Brian Murphy [mailto:bem9127@yahoo.com]
Sent: Tuesday, September 25, 2001 11:43 AM
To: focus-ms@securityfocus.com; focus-virus@securityfocus.com;
bmurphy@carterbloodcare.org
Subject: Nimba

Sorry guys. I am apologize for the late responses but
I had to shutdown email and internet access due to the
Nimba virus. I believe we were able to defeat the
virus over the weekend but I wanted to get everyone's
feedback on our resolution.

It is known that the virus spreads via the Win9x
clients using the "load.exe" executable appended to
the system.ini file.

To combat this we simply created an ACL list using
"config.pol" for the Default users. This ACL includes
any *.exe file we have determined is acceptable (this
was a big list). It took approximately two days to
debug the machines and come up with a good working
list. However, this prevents unwanted exe files
(load.exe, readme.exe, install.exe, setup.exe) from
running on the client PC's.

Next, we took advantage of the Sophos utility that can
be downloaded from their website. We modified the
login scripts to modify the "dosstart.bat". Example:

IF NOT EXIST C:VIRREMSwnimda.exe MKDIR C:VIRREM
IF NOT EXIST C:VIRREMSwnimda.exe copy
\servernamepublic$vuswnimda.exe c:virrem
copy \servernamepublicvudosstart.bat c:windows

Then....all the client has to do is click on START -
Shutdown - Restart in DOS Mode. By modifying the
dosstart.bat the swnimba utility will auto start.

On the email side we modified the filter to include
readme.exe and load.exe. We are filtering *.exe but
added this filter just to be safe.

Hope this helps.

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger.
http://im.yahoo.com