Date: Tue, 18 Sep 2001 16:35:54 -0500 From: Eric Anderson <anderson@centtech.com> To: "Derek O'Flynn" <derekoflynn@hotmail.com> Cc: freebsd-security@freebsd.org Subject: Re: NIMDA Virus Message-ID: <3BA7BE3A.B7F26F0F@centtech.com> References: <F143IQrttDRdNOUivlQ00013ed8@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I must be stupid. How DO you go about doing that? I need to do that too.. Here is some info from a friend about the content of Nimda: ------------------------------------------------------ > There's a new worm hammering networks via email, via open shares, > and via vulnerable web servers. > > Propagation via email can be stopped with: > > /etc/postfix/main.cf: > body_checks = regexp:/etc/postfix/body_checks > > /etc/postfix/body_checks: > /^[SPACE TAB]*name=.*\.exe/ REJECT > > Inside the [] are one space and one tab. > > This is also a reminder that Postfix needs decent MIME parsing > support so it can filter this sort of malware more effectively. > > Wietse > > The worm's MIME headers, with spaces inserted to avoid false alarms. > > - - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = = > C o n t e n t - T y p e : m u l t i p a r t / a l t e r n a t i v e ; > b o u n d a r y = " = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = " > > - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = > C o n t e n t - T y p e : t e x t / h t m l ; > c h a r s e t = " i s o - 8 8 5 9 - 1 " > C o n t e n t - T r a n s f e r - E n c o d i n g : q u o t e d - p r i n t a b l e > > < H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f > > < i f r a m e s r c = 3 D c i d : E A 4 D M G B P 9 p h e i g h t = 3 D 0 w i d t h = 3 D 0 > > < / i f r a m e > < / B O D Y > < / H T M L > > - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = - - > > - - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = = > C o n t e n t - T y p e : a u d i o / x - w a v ; > n a m e = " r e a d m e . e x e " > C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4 > C o n t e n t - I D : < E A 4 D M G B P 9 p > Derek O'Flynn wrote: > > Has anyone successfully written a rule for snort to alert to this? > > I'm currently running snort 1.8 with flex-resp. > > I would like to have a rule that identifies the attacks and then sends the > tcp_rst command so that the worm can't infect new machines. I have the > information for the rule, just need to know what to put in the content field > to verify that it is nimda. > > Thanks, > Derek O'Flynn > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA7BE3A.B7F26F0F>