RE: Nimda

From: david_macleod@private
Date: Fri Sep 21 2001 - 07:08:35 PDT

  • Next message: McCall, Bill: "RE: Nimda"

    I have been awfully busy eradicating and recovering from a hoax then!
    
    David MacLeod, Ph.D., CISSP
    Assistant Director & Chief Information Security Officer
    The Regence Group
    P.O. Box 1271   M/S H4A
    Portland, Oregon   97207-1271
    Phone: 503.553.1405
    Fax: 503.553.1453
    email: david_macleod@private
    
    
    
    |--------+-------------------------------------------->
    |        |          EKornber@private               |
    |        |          Sent by:                          |
    |        |          owner-crime@/var/spool/majordomo/l|
    |        |          ists/crime                        |
    |        |                                            |
    |        |                                            |
    |        |          09/20/2001 09:21 AM               |
    |        |                                            |
    |--------+-------------------------------------------->
      >-----------------------------------------------------------------------------------------------------------|
      |                                                                                                           |
      |       To:     kedorning@private, mcuciti@private, crime@private                                        |
      |       cc:                                                                                                 |
      |       Subject:     RE: Nimda                                                                              |
      >-----------------------------------------------------------------------------------------------------------|
    
    
    
    
    I had someone at Cisco tell me that the Nimda virus was a hoax... (Huh??)
    Not true - right?
    
    -----Original Message-----
    From: Dorning, Kevin E - DI-2 [mailto:kedorning@private]
    Sent: Thursday, September 20, 2001 6:11 AM
    To: 'J.Michael Cuciti'; crime@private
    Subject: RE: Nimda
    
    
    We have had few infections, mostly desktops and development web servers.
    The desktops that were hit were pretty severely effected.  Nimda infects so
    many system files that many of them had to be wiped and re-installed.
    
    K.D>
    
    -----Original Message-----
    From: J.Michael Cuciti [mailto:mcuciti@private]
    Sent: Wednesday, September 19, 2001 3:04 PM
    To: crime@private
    Subject: Nimda
    
    
    All:
    
    I got hit by the Nimda virus yesterday at 7:40 am.  However, because of
    dumb
    luck, I believe that I have been saved from damage as my IIS server is
    version
    3.0 and the browser on the server is also version 3.0.  We never upgraded.
    
    This is what I've found on my system:
    
    The Admin.DLL was placed in the c:\ root directory.
    In the SCRIPTS directory there were a number of files called TFTP#.EXE
    There was no entry in the SYSTEM.INI
    The RICHED20.DLL file was not replaced or deleted
    No SAMPLE.EML, DESKTOP.EML, DESKTOP.NWS, or SAMPLE.NWS were created
    The workstation service was not started and therefore the virus could add a
    user
    
    I get the the following error in the Event Log every 6 minutes:
    
    The HTTP server was unable to load ISAPI application:
    C:\IntPub\Scripts\.%5c\Admin.dll
    Event ID:19
    Anybody know what that means?
    
    Thanks...
    
    -Mike
    
    
    
    
    ===========================================================================
    IMPORTANT NOTICE: This communication, including any attachment, contains
    information that may be confidential or privileged, and is intended solely
    for the entity or individual to whom it is addressed.  If you are not the
    intended recipient, you should delete this message and are hereby notified
    that any disclosure, copying, or distribution of this message is strictly
    prohibited.  Nothing in this email, including any attachment, is intended
    to be a legally binding signature.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:32 PDT