If any one has the proper entries in the apache 1.3.20 config file to block the gets to Admin.dll, root.exe and cmd.exe, I would appreciate knowing about them. Been playing with <FilesMatch> and <DirectoryMatch> but they only seem to work IF the directory path actually exists on the machine. We are being swamped here. Homer ------------------------------------------------------------------------ Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY homerat_private Is that too much to ask? http://www.lightlink.com On Tue, 18 Sep 2001, Brian Pomeroy wrote: > This morning I received an e-mail with the subject line "elvis presley - > amazing grace" from asportalat_private and containing an attachment > named read.exe. I am suspecting this could be related. > > Brian Pomeroy > e-Transformation/e-Medicine Center > The Children's Hospital of Philadelphia > Philadelphia, PA USA > http://www.chop.edu/ > pomeroyat_private || lunarat_private > > > > ----- Original Message ----- > From: "Olle Segerdahl" <olleat_private> > To: <bugtraqat_private>; <incidentsat_private> > Sent: Tuesday, September 18, 2001 11:58 AM > Subject: Concept Virus(CV) V.5 - Quick analysis update > > > > > > More infectation routes: > > > > The worm, upon infecting a new host, goes through all the > > shared directories and their subdirecories and plants the > > following files in each dir: > > > > sample.nws > > sample.eml > > desktop.eml > > desktop.nws > > > > which are eml messages with copies of itself ("readme.exe") > > autoloaded by a html script tag, > > > > riched20.dll > > > > which is a trojan dll version of itself probably designed > > to infect people running notepad/wordpad in that dir. > > > > > > It also infects htm/html/asp files all over the system with > > a <SCRIPT> tag appendage that links to a readme.eml file in > > the current directory, thus infecting more webservers and > > even windows helpsystem and the IE "freindly" error messages. > > > > The worm puts a trojan mmc.exe in the winnt directory that > > is a copy of itself in the above "readme.exe" format..... > > > > So in short: This thing spreads vi fileserver shares and > > also infects all web content files it sees, it's EVIL. > > > > /olle > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 18:39:36 PDT