Blocking Code Red and Nimda - Code Blue with Volera Excelerator

(Last modified: 29Oct2003)

This document (10080772) is provided subject to the disclaimer at the end of this document.

goal

fact

Novell Volera Excelerator

fix

The following filters can be added to Excelerator 2.x software to block Code Blue or Nimda and Code Red worms.

Please note that while these commands are written for the telnet / command line interface, you can also enter the the same filter overrides from the browser-based management tool via the Cache Panel, Filtering tab, Override list, Insert. Enter the URLs referenced below, and set "Allow" to Never.

add filter override=http://*/readme.eml
add filter override=http://*/scripts/root.exe
add filter override=http://*/msadc/root.exe
add filter override=http://*/*/winnt/system32/cmd.exe
add filter override=http://*/msadc/..*/winnt/system32/cmd.exe
add filter override=http://*/default.ida
apply

The first five filters are for the Code Blue - W32/Nimda - Concept Virus (CV) v.5 worm. The last filter is for Code Red.

NOTE: The filter override function only applies to the Client Accelerator (forward proxy), but not to the Web Server Accelerator(s). This means that while filter overrides can prevent local machines from intesting through the Client Accelerator (i.e. infecting external systems), it cannot prevent propagation of the worm through Web Server Accelerators. The security fixes still needs to be applied to the web servers. Configuring an accelerator to require authentication will also block these worms from propagating, as they will be unable to authenticate.

Please see the CERT advisory at http://www.cert.org/advisories/CA-2001-26.html and http://www.cert.org/advisories/CA-2001-19.html for more information regarding the worms.

Please also see the Microsoft security bulletins at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/codeblue.asp and http://www.cert.org/advisories/CA-2001-19.html.

The following filters can be added to Excelerator XL 1.x software to block Code Blue or Nimda and Code Red worms.

From the GUI, select Configuration, Access Control (under Security Settings), add a name for the new Access Control Policy. Leave the default Stage setting of User Request, and click Insert. Click "1" to edit rule 1. Set the Condition to URL, and the Operator to "path is." Enter the following paths, and save the changes.

/readme.eml
/scripts/root.exe
/msadc/root.exe
/winnt/system32/cmd.exe
/default.ida

Please note that while these instructions are written for the GUI interface, these can be also be configured via SSH or the console command line.

note

These same measures also apply for Code.Red.F and other similar variants of Code Red.

document

Document Title:	Blocking Code Red and Nimda - Code Blue with Volera Excelerator
Document ID:	10080772
Solution ID:	NOVL87597
Creation Date:	04Mar2003
Modified Date:	29Oct2003
Novell Product Class:	NetWare Volera Excelerator

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.