I have no means of testing this, but if Blaine's suggestion works, this should do it. This simple executable will instantiate a mutex handle called 'fsdhqherwqi2001' and wait for you to hit q to quit. It would be interesting to know if this actually works. I originally named it mutex.ex_, but was given the finger by both servers. It is now a password protected zip file. Password is "zip." It should run on any win32. Standard user assumption of risk disclaimers apply. Later. --------------------------------- Attonbitus Deus rm -rf /bin/laden ----- Original Message ----- From: "Blaine Kubesh" <bkubeshat_private> To: <incidentsat_private> Cc: <NTBUGTRAQat_private> Sent: Wednesday, September 19, 2001 12:26 PM Subject: Nimda Poison Pill > After disassembling readme.exe and stepping through execution, it is > possible to make Minda think it is already loaded and quit. > > If a named Mutex is already created with name "fsdhqherwqi2001", the virus > will exit, preventing activation and further infection. This was tested in > one configuration and works. I dont see any reason why it would not work > with the other launch methods. > > A quick program can be written to create this mutex, however it needs to be > re-run after each reboot of the system. It is also important that the mutex > is created before Minda can activate. This might come in handy for systems > that cannot be easily patched and are prone to reinfection. > > -BK > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:58:01 PDT