>> Interestingly, the content type from www.wininternals.com (aka 207.30.43.69, >> aka underconstruction.infoback.net) is application/octet-stream. The >> content type on www.digimind.fr is correct at "message/rfc822." If you have a Raptor firewall, you can disable web browsing based on MIME types, which _might_ stop users with vulnerable IEs from downloading the worm. Create an "httpmime" file in your sg/ directory containing each type to block. I took the 409 IP addresses that hit me from the Internet today with cmd.exe and ran this against them (where $name is the IP): wget -O /dev/null --spider -t1 -T5 http://$name/readme.eml I've only probed about 200 of them so far, and many of the IPs refused the connections or timed out. The ones that did serve me the worm reported these MIME types: %egrep '^Length' wget.out | sort | uniq -c 1 Length: 57,891 [application/octet-stream] 14 Length: 79,225 [application/octet-stream] 76 Length: 79,225 [message/rfc822] The odd host with the 5789 1byte readme.eml was 206.65.244.24 in case someone wants to investigate a possible variant. ps - how do I adjust wget's connection timeout? The only timeout values seem to be read (download) times. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 11:57:36 PDT