Re: Which worm is it?

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Fri, 22 Sep 2000, Joe McAlerney wrote:

> Has anyone nailed this one down?  Fortunately we are not infected by the
> worm, but unfortunately that makes it harder to analyze.

You always have the option of letting in a copy if you want to play
honeypot.  Of course, this makes me think of how I might go about making
such a honeypot without actually getting a machine nailed...  I think you
could throw up a *nix box running Samba in a chroot jail with a copy of a
Windows C drive on it.  That way, the worm comes along, and sees what it
thinks is a world-wirtable C drive, and does it's business.  However, the
file wouldn't get out of the jail (and the *nix box isn't going to
interpret the VBScript or run a Windows .exe anyway.)

                                        Ryan