[转载]BlackWorm Summary
原始连接:[url]http://isc.sans.org/diary.php?storyid=1067[/url]<br><br><H3 align=left>About BlackWorm</H3>Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.<BR><BR>At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.<BR><BR>The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').<BR><BR>We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.<BR><BR><SPAN style="FONT-WEIGHT: bold">The first thing you should do is to update your anti virus signatures.<BR></SPAN><BR>This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: <A href="http://isc.sans.org/blackworm" target=_self>[url]http://isc.sans.org/blackworm[/url]</A> <BR>
<H3>Naming</H3>As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. <SPAN style="BACKGROUND-COLOR: rgb(255,255,102)">Update: <SPAN style="BACKGROUND-COLOR: rgb(255,255,255)">we have been informed that the CME number will be 'CME-24'. </SPAN></SPAN><A href="http://cme.mitre.org/" target=_self>cme.mitre.org</A> should shortly list this number.<BR><BR>
<H3>How would I get infected?</H3>The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.<BR><BR>
<H3>What will BlackWorm do to my system?</H3>It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.<BR><BR>
<H3>Removal</H3>Anti virus vendors offer removal tools. Microsoft provides<A href="http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm" target=_self>detailed instructions</A> for manual removal. However, there are two important reasons to rebuild "from scratch":<BR><BR>
<OL><BR>
<LI>BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm. <BR>
<LI>BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.<BR></LI></OL><BR>
<H3>Snort Signatures<BR></H3>Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:<BR>(for up to date rules, see <A href="http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Nyxem?rev=1.5&only_with_tag=HEAD&view=markup" target=_self>bleedingsnort.org</A>. <BR>
<OL><BR>
<LI>This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:<PRE wrap="">#by Joe Stewart at LURHQ, tweaks by Matt Jonkman<BR>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS <BR> (msg:"BLEEDING-EDGE VIRUS webstats.web.rcn.net count.cgi request <BR> without referrer (possible BlackWorm/Nyxem infection)"; <BR>content:"GET /cgi-bin/Count.cgi?"; depth:23; content:"df="; within:20; <BR>content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; <BR>classtype:misc-activity; sid:2002788; rev:2;)<BR><BR></PRE><BR>
<LI>This sig alerts on the specific pattern BlackWorm uses to test connectivity to <A class=moz-txt-link-abbreviated href="http://www.microsoft.com/">www.microsoft.com</A>. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)<PRE wrap="">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS <BR> (msg:"BLEEDING-EDGE VIRUS Agentless HTTP request to www.microsoft.com <BR> (possible BlackWorm/Nyxem infection)"; dsize:92; <BR>content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|<BR>Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";<BR>classtype:misc-activity; sid:2002789; rev:1;)<BR><BR></PRE><BR>
<LI>These signatures detect the payload of Nyxem_D aka CME-24. Same sig is swapped for outbound vs. inbound detection. Robert Danford<BR></LI></OL><BR>
<DIV style="MARGIN-LEFT: 40px"><PRE>#Submitted 2006-01-17 by Mark Tombaugh<BR>alert tcp $EXTERNAL_NET any -> $HOME_NET 25 <BR> (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP inbound"; <BR>flow:established,to_server; content:"YmVnaW4gNjY0I"; <BR>content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; <BR>within:31; classtype:trojan-activity; <BR>reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; <BR>sid: 2002779; rev:1;)<BR><BR>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 <BR> (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP outbound"; <BR>flow:established,to_server; content:"YmVnaW4gNjY0I"; <BR>content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; <BR>within:31; classtype:trojan-activity; <BR>reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; <BR>sid: 2002778; rev:1;)<BR></PRE></DIV><BR>
<H3>Inital days</H3>The worm did hit a counter on the web as noted above. We took those logs, removed the attempted DoS attack from it and plotted both total hits per hour (blue line) and the first hit from each IP address per hour as well (red line). It's interesting to note the spread had slowed before the DoS attack on the counter had started.<BR><BR><A href="http://www.section66.com/handlers/blackworml.png" target=_self></A>[attach]3469[/attach] <BR><FONT size=1>the format of the x axis is date.hour</FONT><BR><BR>
<H3><BR></H3><BR>
<H3>Credits<BR></H3>We would like to thank the members of the TISF BlackWorm task force for analysis and coordination. <BR><BR>The task force emerged from the MWP/DA groups. This task force is now known as the TISF BlackWorm task force.<SPAN class=moz-txt-citetags> It</SPAN> involves many in the security (anti spam, CERTs, <SPAN class=moz-txt-citetags>anti virus, academia, ISP's, etc.) community and industry, working<SPAN class=moz-txt-citetags> </SPAN>together to combat threats to the security of the Internet in<SPAN class=moz-txt-citetags> </SPAN>cooperation with law enforcement globally. <BR><BR>
<H3>Links</H3><SPAN style="COLOR: rgb(255,0,0)">Update: </SPAN><A href="http://www.lurhq.com/blackworm.html" target=_self>[url]http://www.lurhq.com/blackworm.html[/url]</A><BR><A href="http://www.f-secure.com/v-descs/nyxem_e.shtml" target=_self><SPAN style="COLOR: rgb(255,0,0)">www.f-secure.com</SPAN></A><BR><A href="http://blogs.securiteam.com/" target=_self>[url]http://blogs.securiteam.com[/url]</A><BR><A href="http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html" target=_self>Symantec</A><BR><A href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GREW.A" target=_self>Trend Micro</A><BR>Update:<BR>Excellent Stats From LURHQ: </SPAN><A href="http://www.lurhq.com/blackworm-stats.html" target=_blank>[url]http://www.lurhq.com/blackworm-stats.html[/url]</A><BR><SPAN class=moz-txt-citetags><BR>Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.<BR><BR></SPAN><BR>
<H3><SPAN class=moz-txt-citetags>BlackWorm FAQ</SPAN></H3><BR>
<H3><SPAN class=moz-txt-citetags></H3><BR>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. What is CME-24?<BR>A. A mass emailing worm with a destructive payload.<BR>Please see <<A href="http://cme.mitre.org/data/list.html#24">[url]http://cme.mitre.org/data/list.html#24[/url]</A>><BR>for pointers to antivirus vendor descriptions and analyses relating to this malware. <BR></SPAN></P><BR>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. I hear about new viruses all the time--what makes this one a "big deal?"<BR>A. This destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter.</SPAN></P><BR>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Files which may be deleted by the malware include files ending with the extension of DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP<?XML:NAMESPACE PREFIX = O /><O:P _moz-userdefined=""></O:P></SPAN></P><BR>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Another factor that potentially makes this virus particularly noteworthy is that it has seen broad distribution, with the estimated infected machines in the hundreds of thousands. <<A href="http://www.lurhq.com/blackworm-stats.html">[url]http://www.lurhq.com/blackworm-stats.html[/url]</A>></SPAN></P><SPAN style="FONT-FAMILY: Courier New,Courier,mono"><PRE>Another factor that potentially makes this virus noteworthy is it's self defense mechanism. It closes windows if the <PRE wrap=""><SPAN class=moz-txt-citetags style="FONT-FAMILY: Courier New,Courier,mono"><SPAN style="FONT-FAMILY: Courier New,Courier,mono">caption has any of the following strings in it. SYMANTEC, </SPAN><BR style="FONT-FAMILY: Courier New,Courier,mono"><SPAN class=moz-txt-citetags style="FONT-FAMILY: Courier New,Courier,mono">SCAN, KASPERSKY, VIRUS, MCAFEE, TREND MICRO, NORTON, REMOVAL, <BR><SPAN class=moz-txt-citetags>or FIX. So many antivirus programs, scanners etc... can not be <BR><SPAN class=moz-txt-citetags>updated or used on a system that is infected with cme-24.</SPAN></SPAN></SPAN></SPAN></PRE> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. You refer to this virus/worm as CME-24 -- that's not what *my* antivirus vendor calls it. What other names does CME-24 use? <O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">A. Vendor <SPAN> </SPAN>Malware Name<O:P _moz-userdefined=""><BR>Authentium<SPAN> </SPAN>W32/Kapser.A@mm<O:P _moz-userdefined=""><BR>AntiVir <SPAN> </SPAN>Worm/KillAV.GR<O:P _moz-userdefined=""><BR>Avast! <SPAN> </SPAN>Win32:VB-CD [Wrm]<O:P _moz-userdefined=""><BR>AVG <SPAN> </SPAN>Worm/Generic.FX<O:P _moz-userdefined=""><BR>BitDefender <SPAN> </SPAN>Win32.Worm.P2P.ABM<O:P _moz-userdefined=""><BR>ClamAV <SPAN> </SPAN>Worm.VB-8<O:P _moz-userdefined=""><BR>Command <SPAN> </SPAN>W32/Kapser.A@mm (exact)<O:P _moz-userdefined=""><BR>Dr Web <SPAN> </SPAN>Win32.HLLM.Generic.391<O:P _moz-userdefined=""><BR>eSafe <SPAN> </SPAN>Win32.VB.bi<O:P _moz-userdefined=""><BR>eTrust-INO <SPAN> </SPAN>Win32/Blackmal.F!Worm<O:P _moz-userdefined=""><BR>eTrust-VET <SPAN> </SPAN>Win32/Blackmal.F<O:P _moz-userdefined=""><BR>Ewido <SPAN> </SPAN>Worm.VB.bi<O:P _moz-userdefined=""><BR>F-Prot <SPAN> </SPAN>W32/Kapser.A@mm (exact)<O:P _moz-userdefined=""><BR>F-Secure <SPAN> </SPAN>Email-Worm.Win32.Nyxem.e<O:P _moz-userdefined=""><BR>Fortinet <SPAN> </SPAN>W32/Grew.A!wm<O:P _moz-userdefined=""><BR>Ikarus <SPAN> </SPAN>Email-Worm.Win32.VB.BI<O:P _moz-userdefined=""><BR>Kaspersky <SPAN> </SPAN>Email-Worm.Win32.Nyxem.e<O:P _moz-userdefined=""><BR>McAfee <SPAN> </SPAN>W32/MyWife.d@MM<O:P _moz-userdefined=""><BR>Nod32 <SPAN> </SPAN>Win32/VB.NEI worm<O:P _moz-userdefined=""></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P><BR>Norman <SPAN> </SPAN>W32/Small.KI (W32/Small.KI@mm)<O:P _moz-userdefined=""><BR>Panda <SPAN> </SPAN>W32/Tearec.A.worm (W32/MyWife.E.Worm)<O:P _moz-userdefined=""><BR>QuickHeal <SPAN> </SPAN>I-Worm.Nyxem.e<O:P _moz-userdefined=""><BR>Sophos <SPAN> </SPAN>W32/Nyxem-D<O:P _moz-userdefined=""><BR>Symantec <SPAN> </SPAN>W32.Blackmal.E@mm<O:P _moz-userdefined=""><BR>Trend Micro <SPAN> </SPAN>WORM_GREW.A (Worm_BLUEWORM.E)<O:P _moz-userdefined=""><BR>VBA32 <SPAN> </SPAN>Email-Worm.Win32.VB.b<O:P _moz-userdefined=""><BR>VirusBuster <SPAN> </SPAN>Worm.P2P.VB.CIL<O:P _moz-userdefined=""> <BR></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal>(source: AV-Test.org)<BR><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><O:P _moz-userdefined=""><BR></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. What is CME?<O:P _moz-userdefined=""><BR>A. <A href="http://cme.mitre.org/">[url]http://cme.mitre.org/[/url]</A> CME provides single, common identifiers to new virus threats to reduce public confusions during malware outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware.<O:P _moz-userdefined=""><BR><BR></O:P>Q. How do people get infected with CME-24?<O:P _moz-userdefined=""><BR>A. Known methods for infection include infected email attachments and network shares, however other mechanisms are also possible.<O:P _moz-userdefined=""></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">While some areas of the world appear to be more prone toward infection<O:P _moz-userdefined=""><BR>than others, it appears that infected systems may be found in virtually<O:P _moz-userdefined=""><BR>all countries.<O:P _moz-userdefined=""></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Q. What should I do to protect myself from getting infected with CME-24?<O:P _moz-userdefined=""><BR>A. There is a number of things you can do: <O:P _moz-userdefined=""></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Email attachments can contain viruses<O:P _moz-userdefined=""><BR></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">If your Internet Service Provider provides an email scanning service subscribe to it. <O:P _moz-userdefined=""></O:P><BR>Do not open attachments without first verifying that a trusted sender intentionally sent it to you by asking them if they sent you an attachment.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Scan email attachments before opening them.<O:P _moz-userdefined=""></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Do not open emails that claim to have naughty content. This is a common trick used by email based viruses.<O:P _moz-userdefined=""></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Backup your system!<O:P _moz-userdefined=""><BR>You should be routinely making backups of your system. If you've been putting it off, do it now. Backups will be a foundation that will help you recover if your system does get infected. Backups are the most reliable way to recover your data in the event of any data corruption event, virus, malware, or hardware failure. <O:P _moz-userdefined=""></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Note that your backup should be taken to non-rewritable media and/or stored offline. If you do not make your backup to non-rewritable or offline media, depending on the format you use; your backups might be at risk from the malware's destructive payload. This is particularly true if you currently backup important files into a zipped archive, use mirrored hard drives, or file shares none of those will protect you from the destructive potential of this worm.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">On new systems create recovery CDs. Many systems sold today do not come with recovery CDs. The person purchasing the system is expected to create them. Consult manufactures documentation for details.<O:P _moz-userdefined=""></O:P><BR></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Insure that you have antivirus software installed, and that you have up-to-date antivirus definitions covering this particular malware. Do a full system scan and confirm that you are not infected with CME-24 or other malware. If you are infected, seek professional assistance to fix the problem at once.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Do not unnecessarily share or mount shareable filesystems. Filesystems should never be made available via weak or non-existant passwords.<O:P _moz-userdefined=""><BR><BR></O:P>Q. Help, I think I have been infected with CME-24. What should I do now?<O:P _moz-userdefined=""><BR>A. If you have anti-virus software installed verify that it is up to date. Check with your anti-virus vendor if you are unsure of how to do this. If you had anti-virus software that you believe was disabled by CME-24 you may have to uninstall it before re-installing it.<O:P _moz-userdefined=""> <BR></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">If you do not have anti-virus software installed there are several<O:P _moz-userdefined=""><BR>anti-virus products that offer free or trial tools. <O:P _moz-userdefined=""></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Av-test.org maintains a list of antivirus products.<O:P _moz-userdefined=""><BR><</O:P></SPAN> <SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">[url]http://www.av-test.org/sites/links.php3?lang=en&extra=viren&sort=1>[/url]<O:P _moz-userdefined=""><BR>and West Coast labs at <O:P _moz-userdefined=""><BR><<A href="http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=2">[url]http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=2[/url]</A>><O:P _moz-userdefined=""><BR>and ICSA <O:P _moz-userdefined=""><BR><<A href="https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk">[url]https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk[/url]</A>>.<O:P _moz-userdefined=""></O:P></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Some of these vendors offer free online scans as well. Be aware online scanners usually require activex or java be enabled, may take a long time and probably require admin privileges. Online scanners also do not provide any long term protection against reinfection<O:P _moz-userdefined=""></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">If you've already been infected, you should seek professional help to deal with that infection at once. Failure to deal with this malware prior to the 3rd day of the month can result in data loss.<O:P _moz-userdefined=""><BR></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. Some very important file was trashed by the worm. I really need to get the information that was in that file. I don't have a clean backup. What can I do? Can I get back at least part of that file?<O:P _moz-userdefined=""><BR>A. Possibly, some file recovery tools might recover all or part of the missing data. A data recovery service may be your be able to assist.<O:P _moz-userdefined=""></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. Why would someone do something so tremendously stupid and destructive?<O:P _moz-userdefined=""><BR>A. Unless the author comes out and tells us we may never know why. <O:P _moz-userdefined=""></O:P><BR></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. I run Windows Media Center Edition, Mac OS X, Linux, have a Treo, etc. Is my system at risk? Or is this just a Windows XP thing? <O:P _moz-userdefined=""><BR>A. This virus only affects Windows operating systems. It affects nearly every version of windows.<O:P _moz-userdefined=""></O:P></O:P><BR>From: <<A href="http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm&view=en-us">[url]http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm&view=en-us[/url]</A>><O:P _moz-userdefined=""><BR>Windows NT 3.x/4.0, 95, 2000, XP, Server 2003, ME and 98 are all potentially affected.<O:P _moz-userdefined=""><BR><BR></O:P></O:P></SPAN></P> <H3><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">NETWORK ADMINISTRATORS PORTION<O:P _moz-userdefined=""></O:P></SPAN></H3> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Q. I'm a mail server administrator. How can I protect my customers<O:P _moz-userdefined=""><BR>from CME-24 and other malware?<O:P _moz-userdefined=""><BR>A. There are several things you may want to do:<O:P _moz-userdefined=""></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">You may want to run a server-side antivirus program, or software to strip or defang potentially dangerous attachments. Under Unix, ClamAV <U><SPAN style="COLOR: blue"><A href="http://isc.sans.org/%3chttp://www.clamav.net/"><HTTP: _moz-userdefined="" /></A></SPAN></U>> is one example of a free antivirus program that you can run on your mail server; Procmail Email Sanitizer <<A href="http://www.impsec.org/email-tools/procmail-security.html">[url]http://www.impsec.org/email-tools/procmail-security.html[/url]</A>><O:P _moz-userdefined=""><BR>is an example of a program that you can run to remove or defang potentially hostile attachments. Under Windows there are several email scanning antivirus programs available.<O:P _moz-userdefined=""></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">You should also endeavor to accept, process and resolve notifications<O:P _moz-userdefined=""><BR>you may receive about infected customers. Confirm that you have a<O:P _moz-userdefined=""><BR>working abuse@ address, a working postmaster@ address, and current<O:P _moz-userdefined=""><BR>whois contact information for your domain(s). See <<A href="http://www.faqs.org/rfcs/rfc2142.html">[url]http://www.faqs.org/rfcs/rfc2142.html[/url]</A>> for clarification.<O:P _moz-userdefined=""></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">If you have netblock(s) that have been assigned to you via SWIP or whois, or an autonomous system number (ASN), please make sure that you have current abuse reporting contact information defined in whois for those resources as well.<O:P _moz-userdefined=""></O:P><BR></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">If you operate an intrusion detection system, consider running<O:P _moz-userdefined=""><BR>the Bleeding Snort rules that may help you to identify potentially<O:P _moz-userdefined=""><BR>infected customers. <O:P _moz-userdefined=""><BR><<U><SPAN style="COLOR: blue"><A href="http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Nyxem#rev1.6">[url]http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Nyxem#rev1.6[/url]</A></SPAN></U>><O:P _moz-userdefined=""></O:P></O:P></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Educate your customers about security effective practices. <O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Site license an antivirus product and distribute it to your customers.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Encourage customers to routinely apply patches.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><SPAN>Encourage customers to use a software and/or hardware firewall. <O:P _moz-userdefined=""></O:P></SPAN></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Encourage customers to routinely backup their systems. <O:P _moz-userdefined=""><BR></O:P></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><O:P _moz-userdefined="">Where terms of service and applicable law permits, scan customer systems for vulnerabilities and insure that customers get fixed or removed from the network. <O:P _moz-userdefined=""><BR></O:P></O:P><BR>This document was prepared by the TISF BlackWorm task force which includes many elements in the security communities including: anti spam groups, CERTs, anti-virus teams, academia, law enforcement, and ISP's.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">The TISF BlackWorm task force would like to thank all the contributors to this FAQ including: Members of the DA/MWP groups and The Internet Storm Center handlers.<O:P _moz-userdefined=""></O:P></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Original can be found at:<O:P _moz-userdefined=""><BR><<A href="http://isc.sans.org/blackworm">[url]http://isc.sans.org/blackworm[/url]</A>></SPAN></P></PRE></SPAN></SPAN></O:P>
页:
[1]