Nimda Poison Pill
From: Blaine Kubesh (bkubesh@cisco.com)Date: 09/19/01
- Previous message: Lists: "RE: nimda tries to send mail after reboot"
- Next in thread: Thor@HammerofGod.com: "Re: Nimda Poison Pill"
- Reply: Thor@HammerofGod.com: "Re: Nimda Poison Pill"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200109191932.ADU20501@3rdclass.cisco.com> Date: Wed, 19 Sep 2001 14:26:17 -0500 (CDT) From: Blaine Kubesh <bkubesh@cisco.com> Subject: Nimda Poison Pill To: incidents@securityfocus.com
After disassembling readme.exe and stepping through execution, it is
possible to make Minda think it is already loaded and quit.
If a named Mutex is already created with name "fsdhqherwqi2001", the virus
will exit, preventing activation and further infection. This was tested in
one configuration and works. I dont see any reason why it would not work
with the other launch methods.
A quick program can be written to create this mutex, however it needs to be
re-run after each reboot of the system. It is also important that the mutex
is created before Minda can activate. This might come in handy for systems
that cannot be easily patched and are prone to reinfection.
-BK
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Lists: "RE: nimda tries to send mail after reboot"
- Next in thread: Thor@HammerofGod.com: "Re: Nimda Poison Pill"
- Reply: Thor@HammerofGod.com: "Re: Nimda Poison Pill"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
