blob: 4646da83cf28a1ec1dbb3d939c8fa20e75598bb6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
While this article is specific to the Nimda worm,
the information can be applied to preventing the spread
of many Win32 viruses. Thanks to the Samba Users Group of Japan
(SUGJ) for this article.
===============================================================================
Steps against Nimba Worm for Samba
Author: HASEGAWA Yosuke
Translator: TAKAHASHI Motonobu <monyo@samba.gr.jp>
The information in this article applies to
Samba 2.0.x
Samba 2.2.x
Windows 95/98/Me/NT/2000
SYMPTOMS
This article describes measures against Nimba Worm for Samba
server.
DESCRIPTION
Nimba Worm is infected through shared disks on a network, as well as through
Microsoft IIS, Internet Explorer and mailer of Outlook series.
At this time, the worm copies itself by the name *.nws and *.eml on
the shared disk, moreover, by the name of Riched20.dll in the folder
where *.doc file is included.
To prevent infection through the shared disk offered by Samba, set
up as follows:
-----
[global]
...
# This can break Administration installations of Office2k.
# in that case, don't veto the riched20.dll
veto files = /*.eml/*.nws/riched20.dll/
-----
By setting the "veto files" parameter, matched files on the Samba
server are completely hidden from the clients and making it impossible
to access them at all.
In addition to it, the following setting is also pointed out by the
samba-jp:09448 thread: when the
"readme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}" file exists on
a Samba server, it is visible only as "readme.txt" and dangerous
code may be executed if this file is double-clicked.
Setting the following,
-----
veto files = /*.{*}/
-----
any files having CLSID in its file extension will be inaccessible from any
clients.
This technical article is created based on the discussion of
samba-jp:09448 and samba-jp:10900 threads.
|
