On Sun, 11 Nov 2001, Matt Jezorek wrote: > From: Matt Jezorek <matt@bluelinux.org> > Well I have rulled out my computer for nimda seems that it is still putting > .eml files on my server without samba shares maped, dont know what else to > do on it. Here is some of the info I found => From: Thomas Biege <thomas@suse.de> To: <bugtraq@securityfocus.com> Subject: SuSE Security Announcement: wmaker/WindowMaker (SuSE-SA:2001:032 IIS webservers and uploads a file called "readme.eml" which is being downloaded by the client's browser. Some versions of the Internet Explorer even execute this file without the user's knowledge. A temporary workaround for sites that use a squid proxy to access the internet would be to add these three lines to the /etc/squid.conf file: -------------- Date: Tue, 18 Sep 2001 18:49:43 -0600 (MDT) From: Dave Ahmad <da@securityfocus.com> X-Sender: <da@mail> To: <bugtraq@securityfocus.com> Subject: Nimda Worm Once it finds a vulnerable IIS server, it installs itself in such a way that visitors to the now-infected web site will be sent a copy of a .eml file, which is a copy of the e-mail that gets sent. If the victim is using Internet Explorer as their browser, and they are vulnerable to the hole, they will execute the readme.exe attachment in the same way as if they had viewed an infected e-mail message. Also, look at SecurityFocus Newsletter #111 David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ tech@linux-tech.com | | |\ | | | \/ | |___ | |__| http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
