RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update

["George Milliken" <gmilliken () farm9 com>]

Maybe something like a rewrite rule

RewriteEngine   On
RewriteRule     ^.*/cmd.exe.*   [FL]
RewriteRule     ^.*/root.exe.*  [FL]

This will send "forbidden" to systems trying those URLs and will stop
rewrite processing.


> -----Original Message-----
> From: George Milliken [mailto:gmilliken () farm9 com]
> Sent: Tuesday, September 18, 2001 7:03 PM
> To: Soc () Farm9 Com
> Subject: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update
>
>
> Silva?
>
> -----Original Message-----
> From: Homer Wilson Smith [mailto:homer () lightlink com]
> Sent: Tuesday, September 18, 2001 5:06 PM
> To: Brian Pomeroy
> Cc: Olle Segerdahl; incidents () securityfocus com
> Subject: Re: Concept Virus(CV) V.5 - Quick analysis update
>
>
>
>     If any one has the proper entries in the apache 1.3.20
> config file to block the gets to Admin.dll, root.exe and cmd.exe,
> I would appreciate knowing about them.  Been playing with
> <FilesMatch> and <DirectoryMatch> but they only seem to work
> IF the directory path actually exists on the machine.
>
>     We are being swamped here.
>
>     Homer
>
> ------------------------------------------------------------------------
> Homer Wilson Smith   Clean Air, Clear Water,  Art Matrix - Lightlink
> (607) 277-0959       A Green Earth and Peace. Internet Access, Ithaca NY
> homer () lightlink com  Is that too much to ask? http://www.lightlink.com
>
> On Tue, 18 Sep 2001, Brian Pomeroy wrote:
>
> > This morning I received an e-mail with the subject line "elvis presley -
> > amazing grace" from asportal () microsoft com and containing an attachment
> > named read.exe.  I am suspecting this could be related.
> >
> > Brian Pomeroy
> > e-Transformation/e-Medicine Center
> > The Children's Hospital of Philadelphia
> > Philadelphia, PA USA
> > http://www.chop.edu/
> > pomeroy () email chop edu || lunar () voicenet com
> >
> >
> >
> > ----- Original Message -----
> > From: "Olle Segerdahl" <olle () defcom com>
> > To: <bugtraq () securityfocus com>; <incidents () securityfocus com>
> > Sent: Tuesday, September 18, 2001 11:58 AM
> > Subject: Concept Virus(CV) V.5 - Quick analysis update
> >
> >
> > > More infectation routes:
> > >
> > > The worm, upon infecting a new host, goes through all the
> > > shared directories and their subdirecories and plants the
> > > following files in each dir:
> > >
> > > sample.nws
> > > sample.eml
> > > desktop.eml
> > > desktop.nws
> > >
> > > which are eml messages with copies of itself ("readme.exe")
> > > autoloaded by a html script tag,
> > >
> > > riched20.dll
> > >
> > > which is a trojan dll version of itself probably designed
> > > to infect people running notepad/wordpad in that dir.
> > >
> > >
> > > It also infects htm/html/asp files all over the system with
> > > a <SCRIPT> tag appendage that links to a readme.eml file in
> > > the current directory, thus infecting more webservers and
> > > even windows helpsystem and the IE "freindly" error messages.
> > >
> > > The worm puts a trojan mmc.exe in the winnt directory that
> > > is a copy of itself in the above "readme.exe" format.....
> > >
> > > So in short: This thing spreads vi fileserver shares and
> > > also infects all web content files it sees, it's EVIL.
> > >
> > > /olle
> --------------------------------------------------------------------------
> > --
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com