Security Incidents mailing list archives
Re: code red - c:\notworm
From: robinton () GMX de (Soeren Ziehe)
Date: 29 Jul 2001 16:00:00 +0100
In article <3B604483.8FF611EF () bah com> [26 Jul 01] Meritt James <meritt_james () bah com> wrote:
In your opinion, would putting a c:\notworm file on a system (while performing all the appropriate patches,...) be a stopgap to prevent the worm infection on a system? (NOT do anything about the vulnerability, of course, but just as a temp damn against that particular infection)
Yes, I would believe so. After reviewing the worm code from the EEye analysis again and reading up on the CreateFile API call I do believe that the c:\notworm file is NOT created by the worm. If the worm checks for its existence, it can only be a "vaccine" for certain sites -> it's a safeguard not to "go off" on the developers maschine or on "friendly" maschines. Robinton -- Es fuehrt nur ein Weg zur Lunge und der muss geteert werden. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- code red - c:\notworm Soeren Ziehe (Jul 26)
- Re: code red - c:\notworm Jon Zobrist (Jul 26)
- Re: code red - c:\notworm Soeren Ziehe (Jul 29)