RE: NIMDA Virus - Anyone been affected by it ? -- MIDRANGE-L

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--
[ Picked text/plain from multipart/alternative ]
While the 400 isn't necessarily affected by the virus, it most certainly can
be a "carrier" within the IFS.

The beta version of next release of PentaSafe's remote access (exit point)
management tool, RRM (Remote Request Management) has helped a beta customer
pinpoint infected remote PC IP addresses within their 3500+ clients (whom
they host apps for on their numerous AS/400s) and subsequently clean them
up!

Customer:

"Hey folks this RRM 7.0 has been extremely useful in tracking down an
infected remote PC IP propagating the Nimda virus".

I followed-up to get more detail about how he used the product to do this...

"The Nimda Virus propagates infected PC objects to the IFS.  McAfee Virus
scans on the IFS identified the infected objects and where they resided.  By
displaying an infected object's attributes I could identify the following
information:

Object Owner
Last access date/time
Data change data/time
Attribute change data/time

I then corrected the folder's authority to prevent further propagation.
Once secured, I removed the object(s). This has proven to be successful in
limiting the virus to those folders that *PUBLIC needs *RWX rights on.

I then went to PentaSafe's RRM collected remote entries screen:

- On the User Column, I keyed the 'Object Owner' profile for User.
- I then chose to sort on the date/time column.
- I then viewed the objects for entries with the > sign (indicates a
specific object associated with the remote transaction).

Server   Func.    Cmd.     User                Network           Time Stamp

FILE     OPEN     W        RMTBANK47     101.252.438.55   2001/09/24.09:24 >


This displayed the full IFS paths that the user machine was attempting to
propagate the infected objects on. These object names matched the objects
identified by McAfee.

With the user profile and IP address identified, I then proceeded to contact
my clients and have them take action on the physical machine at their end."

Problem solved!

Steven Martinson
Product Marketing Manager, iSeries and AS/400
PentaSafe Security Technologies, Inc.
http://www.pentasafe.com
Toll Free: 1.888.400.2834, x9585
Direct Dial: 1.713.860.9585



-----Original Message-----
From: thomas@inorbit.com [mailto:thomas@inorbit.com]
Sent: Thursday, October 04, 2001 10:07 PM
To: midrange-l@midrange.com
Subject: RE: NIMDA Virus - Anyone been affected by it ?


On Thu, 04 October 2001, "Joel R. Cochran" wrote:

> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 232
> "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 232
> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
>  <etc., etc.>

I can't help but wonder what interesting results could come from creating
directories such as '/scripts' or '/d/winnt/system32' on an AS/400 and
populating them with objects named such as 'cmd.exe'. There's bound to be
replies you could generate and send to these requests that would confuse the
requester no end.

Tom Liotta

--
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788
Fax  253-872-7904
http://www.400Security.com


___________________________________________________
The ALL NEW CS2000 from CompuServe
 Better!  Faster! More Powerful!
 250 FREE hours! Sign-on Now!
 http://www.compuserve.com/trycsrv/cs2000/webmail/




_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.