Security Incidents mailing list archives
RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update
From: "George Milliken" <gmilliken () farm9 com>
Date: Wed, 19 Sep 2001 06:59:10 -0700
Maybe something like a rewrite rule RewriteEngine On RewriteRule ^.*/cmd.exe.* [FL] RewriteRule ^.*/root.exe.* [FL] This will send "forbidden" to systems trying those URLs and will stop rewrite processing.
-----Original Message----- From: George Milliken [mailto:gmilliken () farm9 com] Sent: Tuesday, September 18, 2001 7:03 PM To: Soc () Farm9 Com Subject: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update Silva? -----Original Message----- From: Homer Wilson Smith [mailto:homer () lightlink com] Sent: Tuesday, September 18, 2001 5:06 PM To: Brian Pomeroy Cc: Olle Segerdahl; incidents () securityfocus com Subject: Re: Concept Virus(CV) V.5 - Quick analysis update If any one has the proper entries in the apache 1.3.20 config file to block the gets to Admin.dll, root.exe and cmd.exe, I would appreciate knowing about them. Been playing with <FilesMatch> and <DirectoryMatch> but they only seem to work IF the directory path actually exists on the machine. We are being swamped here. Homer ------------------------------------------------------------------------ Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY homer () lightlink com Is that too much to ask? http://www.lightlink.com On Tue, 18 Sep 2001, Brian Pomeroy wrote:This morning I received an e-mail with the subject line "elvis presley - amazing grace" from asportal () microsoft com and containing an attachment named read.exe. I am suspecting this could be related. Brian Pomeroy e-Transformation/e-Medicine Center The Children's Hospital of Philadelphia Philadelphia, PA USA http://www.chop.edu/ pomeroy () email chop edu || lunar () voicenet com ----- Original Message ----- From: "Olle Segerdahl" <olle () defcom com> To: <bugtraq () securityfocus com>; <incidents () securityfocus com> Sent: Tuesday, September 18, 2001 11:58 AM Subject: Concept Virus(CV) V.5 - Quick analysis updateMore infectation routes: The worm, upon infecting a new host, goes through all the shared directories and their subdirecories and plants the following files in each dir: sample.nws sample.eml desktop.eml desktop.nws which are eml messages with copies of itself ("readme.exe") autoloaded by a html script tag, riched20.dll which is a trojan dll version of itself probably designed to infect people running notepad/wordpad in that dir. It also infects htm/html/asp files all over the system with a <SCRIPT> tag appendage that links to a readme.eml file in the current directory, thus infecting more webservers and even windows helpsystem and the IE "freindly" error messages. The worm puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format..... So in short: This thing spreads vi fileserver shares and also infects all web content files it sees, it's EVIL. /olle----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------------------- --This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update George Milliken (Sep 19)
- RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update Michael Halls (Sep 19)
- RE: Nimda Apache RedirectMatch results David Leitko (Sep 19)
- RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update Michael Halls (Sep 19)