Steps againt Nimba Worm (fwd)

Gerald Carter gcarter at
Sat Sep 22 06:02:08 GMT 2001

Good advice.  Thanks Monyo.  I'm passing it onto Samba at

cheers, jerry

---------- Forwarded message ----------

SUGJ(Samba Users Group Japan) offers such information

This is the English version of it,

Is it usefull?

Steps againt Nimba Worm for Samba

Last Updated: 2001/09/22
Author: HASEGAWA Yohsuke
Translator: TAKAHASHI Motonobu

The information in this article applies to
    Samba 2.0.x
    Samba 2.2.x
    Windows 95/98/Me/NT/2000

  This article has described the measure against Nimba Worm for Samba

  Nimba Worm is infected through the shared disk on a network besides
  Microsoft IIS, Internet Explorer and mailer of Outlook series.

  At this time, the worm copies itself by the name *.nws and *.eml on
  the shared disk, moreover, by the name of Riched20.dll in the folder
  where *.doc file is included.

  To prevent infection through the shared disk offered by Samba, set
  up as follows:

  veto files = /*.eml/*.nws/riched20.dll/

  Setting up "veto files" parameter, the matched files on the Samba
  server are completely hidden from the clients and become impossible
  to access them at all.

  In addition to it, the following setting are also pointed out by the
  samba-jp:09448 thread: when the
  "readme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}" file exists on
  a Samba server, it is visible only with "readme.txt" and a dangerous
  code may be performed when this file is double-clicked.

  Setting the following,
  veto files = /*.{*}/
  no files having CLSID in its file extension can be accessed from any

This technical article is created based on the discussion of
samba-jp:09448 and samba-jp:10900 threads.

TAKAHASHI, Motonobu(monyo)         monyo at
Personal -
Samba Team -     Samba-JP -
JWNTUG -  Analog-JP -

More information about the samba mailing list