Re: code red - c:\notworm

From: Soeren Ziehe (robintonat_private)
Date: Sun Jul 29 2001 - 08:00:00 PDT

  • Next message: Dino: "ACB8DE69.ipt.aol.com scans"

    In article <3B604483.8FF611EFat_private> [26 Jul 01]
       Meritt James  <meritt_jamesat_private> wrote:
    
    > In your opinion, would putting a c:\notworm file on a system (while
    > performing all the appropriate patches,...) be a stopgap to
    > prevent the worm infection on a system?  (NOT do anything about the
    > vulnerability, of course, but just as a temp damn against that
    > particular infection)
    
    Yes, I would believe so.
    
    After reviewing the worm code from the EEye analysis again and reading  
    up on the CreateFile API call I do believe that the c:\notworm file is  
    NOT created by the worm.
    
    If the worm checks for its existence, it can only be a "vaccine" for  
    certain sites -> it's a safeguard not to "go off" on the developers  
    maschine or on "friendly" maschines.
    
    Robinton
    
    -- 
    Es fuehrt nur ein Weg zur Lunge und der muss geteert werden.
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:24:42 PDT