NIMDA Alert on Samba server! Foiled attempts?

james tan jamestcc at
Thu Dec 20 08:22:02 GMT 2001

NIMDA Alert on Samba server! Foiled attempts?

                           Read the below file, I have a question to pose
for NIMDA on Linux.

                           1)Discovered thru smbstatus that system
accessed by unknown machines, with from network and domain 'regularly'.

                           2)Being curious, I use a NT system with Norton
AntiVir and nbtstat -a it. Interestingly, all of them are NT-based.

                           3)Mapped their default C$, managed to get in
with "administrator" no password, using NT4+Norton. Once mapped, Antivir
                           reported NIMDA detected in that mapped drive,
unable to clean, quarantined. Files kept from all unknown machines =

                           4)Suspect infection on Linux, checked system
for .eml files/admin.dll, not found. Checked
interesting messages abt failed attempts to authenticate/locate
                           Assuming that the unknown machines are
searching for a WIN NT file(s).

                           5)smbclient -L LOCAL_SYSTEM_NBTNAME, saw
ADMIN$ in the list together with IPC$.

                           6)Removed guest login in global, ADMIN$ no
longer seen.

                           1)Can I assume that because of the ADMIN$,
those infected systems are trying to infect me, but failed becoz I had
                           running a Sambad Fileserver instead of
                           2)Does it help if I follow the below file for
prevention or does disabling guest login sufficient?...ok lah, 2x
questions but
                           damn crucial.

                           All my shares can only be accessed by domain
users, so guest account not needed. I do not wish to attract anymore
                           unwelcomed hosts lest my Samba(trial) server
is being "untrusted" by boss/collegues. So far I have been bragging abt
                           "stable and fast" it is compared to my other
NT4 and W2K fileservers.

                           While this article is specific to the recent
Nimda worm,
                           the information can be applied to preventing
the spread
                           of many Win32 viruses. Thanks to the Samba
Users Group of Japan
                           (SUGJ) for this article.


                           Steps againt Nimba Worm for Samba

                           Author: HASEGAWA Yosuke
                           Translator: TAKAHASHI Motonobu
<monyo at>

                           The information in this article applies to
                           Samba 2.0.x
                           Samba 2.2.x
                           Windows 95/98/Me/NT/2000

                           This article has described the measure against
Nimba Worm for Samba

                           Nimba Worm is infected through the shared disk
on a network besides
                           Microsoft IIS, Internet Explorer and mailer of
Outlook series.

                           At this time, the worm copies itself by the
name *.nws and *.eml on
                           the shared disk, moreover, by the name of
Riched20.dll in the folder
                           where *.doc file is included.

                           To prevent infection through the shared disk
offered by Samba, set
                           up as follows:

                           veto files = /*.eml/*.nws/riched20.dll/

                           Setting up "veto files" parameter, the matched
files on the Samba
                           server are completely hidden from the clients
and become impossible
                           to access them at all.

                           In addition to it, the following setting are
also pointed out by the
                           samba-jp:09448 thread: when the
(Jreadme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}" (B file exists on
                           a Samba server, it is visible only with
"readme.txt" and a dangerous
                           code may be performed when this file is

                           Setting the following,
                           veto files = /*.{*}/
                           no files having CLSID in its file extension
can be accessed from any

                           This technical article is created based on the
discussion of
                           samba-jp:09448 and samba-jp:10900 threads.

                           A fulll description of Nimda from f-secure on

                           1st Cor 13

                           Last edited by jameztcc on 20-12-2001 at 10:44
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2035 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the samba-ntdom mailing list