Author Topic: Nimda killer  (Read 1798 times)

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Nimda killer
« on: September 19, 2001, 06:38:51 AM »
This filter will block the download from webpages infected with this worm:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "Nimda-Killer: Kill Nimda worm infection (Out)"
URL = "*readme.eml"
Replace = "k"

Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Nimda killer
« Reply #1 on: September 19, 2001, 09:25:16 PM »
This filter will together with the protecting filter above, give you an alert message that the Nimda script is on the visited site:

[Patterns]
Name = "Nimda Alert"
Active = TRUE
Bounds = "<script*readme.eml*/script>"
Limit = 2048
Match = "<script*>1</script>"
Replace = "<script>
"
            "xXx=unescape('$ESC(1)');
"
            "alert('NIMDA WORM?\n'+xXx);"
            "</script>
"

Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Nimda killer
« Reply #2 on: September 19, 2001, 09:27:01 PM »
You can also protect yourself by putting this line in you block list file:
*readme.eml/


Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Nimda killer
« Reply #3 on: September 26, 2001, 09:46:22 AM »
Here is another approach for filtering the same:

[Patterns]
Name = "P4 Nimda HTML filter"
Active = TRUE
Multi = TRUE
Bounds = "<script * /script>"
Limit = 1256
Match = "1 ([a-z]+.|)open ( (w.(eml|nws)$SET(0=**FIX** $SET(0=")|))2 3) 4"
Replace = "1
 alert(Nimda attack blocked! 23)
4"


Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne