In article <3B604483.8FF611EFat_private> [26 Jul 01] Meritt James <meritt_jamesat_private> wrote: > In your opinion, would putting a c:\notworm file on a system (while > performing all the appropriate patches,...) be a stopgap to > prevent the worm infection on a system? (NOT do anything about the > vulnerability, of course, but just as a temp damn against that > particular infection) Yes, I would believe so. After reviewing the worm code from the EEye analysis again and reading up on the CreateFile API call I do believe that the c:\notworm file is NOT created by the worm. If the worm checks for its existence, it can only be a "vaccine" for certain sites -> it's a safeguard not to "go off" on the developers maschine or on "friendly" maschines. Robinton -- Es fuehrt nur ein Weg zur Lunge und der muss geteert werden. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:24:42 PDT