The Nimda worm deposits many files, some of which are hidden in different
directories on the infected server. The worm plants itself in the root of
any available drive as the file admin.dll. Other filenames for the worm
include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL,
MEP*.TMP.EXE, cmd.exe, tftp.exe, MAPI.DLL, system.ini, and .eml files.
All executables on the system should be checked due to the chance of
modifications.
Happy trapping.
On Mon, 24 Sep 2001, Ask Bjoern Hansen wrote:
> On 19 Sep 2001, Vivek Khera wrote:
>
> > NT> http://www.torkington.com/vermicide.txt has a mod_perl handler to
> > NT> catch the requests as soon as they arrive, and discard them with a
> > NT> minimum of work to Apache. If your web server is struggling under the
> > NT> load, this might help.
> >
> > Why waste your mod_perl back-end's resources? Do it in your front end
> > reverse-proxy server with mod_rewrite:
> >
> > # trap CodeRed and send them away!
> > <Location /default.ida>
> > RewriteEngine On
> > RewriteRule /default.ida
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp
> [last]
> > </Location>
> > # trap exploits of code-red compromized systems.
> > <Files "*.exe">
> > RewriteEngine On
> > RewriteRule .
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp
> [last]
> > </Files>
> >
> > I'm sure the *.exe match should use a different URL inside microsoft,
> > but what the heck... I had limited info when I set this up yesterday
> > afternoon.
>
> I don't believe that the worms follow redirects. And what would the
> point be anyway? Overload Microsofts servers if we all could get
> the worms to go there?
>
> the above that seems like way too much work; I seem to be getting
> away with the following here:
>
> # Nimda requests
> RewriteCond %{HTTP_HOST} ^www\$
> RewriteRule . / [F,L]
> RewriteRule ^/default.ida / [F,L]
>
> (I put the above in the reverse proxy to "shield" the real thing
> from the requests on the sites where it matters (like one where I
> get a mail for each 404; it got really old really fast with this
> Nimda crap).
>
> Of course it doesn't work if you ever access the host as "www"
> without the domain...
>
>
> - ask
>
> --
> ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
> more than a billion impressions per week, http://valueclick.com
>
