Dave Ahmad <da@securityfocus.com> writes:
The incident analysis team over here is examining this thing. At first glance it looks reasonably sophisticated. Looks to me like it exploits the issue described as BID 5363, http://online.securityfocus.com/bid/5363. It seems to pick targets based on the "Server:" HTTP response field. Mario Van Velzen proposed a quick workaround of disabling ServerTokens or setting it to ProductOnly to turn away at least this version of the exploit until fixes can be applied. Since this workaround requires changing the configuration file, it's equally easy to disable SSLv2 entirely--especially since one could easily modify the worm to attack all servers or, perhaps, those which only display Product ID :)
-Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/