RE: Nimda

From: Dorning, Kevin E - DI-2 (kedorning@private)
Date: Thu Sep 20 2001 - 06:11:19 PDT

  • Next message: George Heuston: "FW: [Fwd: FW: F-Secure Radar Level 1 Alert]"

    We have had few infections, mostly desktops and development web servers.
    The desktops that were hit were pretty severely effected.  Nimda infects so
    many system files that many of them had to be wiped and re-installed.
    
    K.D>
    
    -----Original Message-----
    From: J.Michael Cuciti [mailto:mcuciti@private]
    Sent: Wednesday, September 19, 2001 3:04 PM
    To: crime@private
    Subject: Nimda
    
    
    All:
    
    I got hit by the Nimda virus yesterday at 7:40 am.  However, because of dumb
    luck, I believe that I have been saved from damage as my IIS server is
    version
    3.0 and the browser on the server is also version 3.0.  We never upgraded.  
    
    This is what I've found on my system:
    
    The Admin.DLL was placed in the c:\ root directory.  
    In the SCRIPTS directory there were a number of files called TFTP#.EXE
    There was no entry in the SYSTEM.INI
    The RICHED20.DLL file was not replaced or deleted
    No SAMPLE.EML, DESKTOP.EML, DESKTOP.NWS, or SAMPLE.NWS were created
    The workstation service was not started and therefore the virus could add a
    user
    
    I get the the following error in the Event Log every 6 minutes:
    
    The HTTP server was unable to load ISAPI application: 
    C:\IntPub\Scripts\.%5c\Admin.dll
    Event ID:19
    Anybody know what that means?
    
    Thanks...
    
    -Mike
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:16 PDT