Nimda Worm

• Previous message (by thread): Worm leveling off RE: Worm impact - September 18 2001
• Next message (by thread): Online DB of IPs for Nimda worm infected machines
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One of the spread methods has to do with retrieving a file called
"readme.eml" from the infected web servers.  Adding this to my Cisco
HBAR code red config seems to at least keep my customers from becoming
infected using that method.

class-map match-any http-hacks
  .. code red stuff..
   match protocol http url "*readme.eml"

Can anyone confirm exactly what filenames the email spread version uses?

-- 

Mike Jackson <mhjack at tscnet.com>
Vice-President
TSCNet, Inc.

Phone: 360-308-0205
Fax: 360-698-7789
http://www.tscnet.com

• Previous message (by thread): Worm leveling off RE: Worm impact - September 18 2001
• Next message (by thread): Online DB of IPs for Nimda worm infected machines
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]