Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: code red - c:\notworm

From: robinton () GMX de (Soeren Ziehe)
Date: 29 Jul 2001 16:00:00 +0100
In article <3B604483.8FF611EF () bah com> [26 Jul 01]
   Meritt James  <meritt_james () bah com> wrote:


In your opinion, would putting a c:\notworm file on a system (while
performing all the appropriate patches,...) be a stopgap to
prevent the worm infection on a system?  (NOT do anything about the
vulnerability, of course, but just as a temp damn against that
particular infection)


Yes, I would believe so.

After reviewing the worm code from the EEye analysis again and reading  
up on the CreateFile API call I do believe that the c:\notworm file is  
NOT created by the worm.

If the worm checks for its existence, it can only be a "vaccine" for  
certain sites -> it's a safeguard not to "go off" on the developers  
maschine or on "friendly" maschines.

Robinton

-- 
Es fuehrt nur ein Weg zur Lunge und der muss geteert werden.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: