I have been awfully busy eradicating and recovering from a hoax then! David MacLeod, Ph.D., CISSP Assistant Director & Chief Information Security Officer The Regence Group P.O. Box 1271 M/S H4A Portland, Oregon 97207-1271 Phone: 503.553.1405 Fax: 503.553.1453 email: david_macleod@private |--------+--------------------------------------------> | | EKornber@private | | | Sent by: | | | owner-crime@/var/spool/majordomo/l| | | ists/crime | | | | | | | | | 09/20/2001 09:21 AM | | | | |--------+--------------------------------------------> >-----------------------------------------------------------------------------------------------------------| | | | To: kedorning@private, mcuciti@private, crime@private | | cc: | | Subject: RE: Nimda | >-----------------------------------------------------------------------------------------------------------| I had someone at Cisco tell me that the Nimda virus was a hoax... (Huh??) Not true - right? -----Original Message----- From: Dorning, Kevin E - DI-2 [mailto:kedorning@private] Sent: Thursday, September 20, 2001 6:11 AM To: 'J.Michael Cuciti'; crime@private Subject: RE: Nimda We have had few infections, mostly desktops and development web servers. The desktops that were hit were pretty severely effected. Nimda infects so many system files that many of them had to be wiped and re-installed. K.D> -----Original Message----- From: J.Michael Cuciti [mailto:mcuciti@private] Sent: Wednesday, September 19, 2001 3:04 PM To: crime@private Subject: Nimda All: I got hit by the Nimda virus yesterday at 7:40 am. However, because of dumb luck, I believe that I have been saved from damage as my IIS server is version 3.0 and the browser on the server is also version 3.0. We never upgraded. This is what I've found on my system: The Admin.DLL was placed in the c:\ root directory. In the SCRIPTS directory there were a number of files called TFTP#.EXE There was no entry in the SYSTEM.INI The RICHED20.DLL file was not replaced or deleted No SAMPLE.EML, DESKTOP.EML, DESKTOP.NWS, or SAMPLE.NWS were created The workstation service was not started and therefore the virus could add a user I get the the following error in the Event Log every 6 minutes: The HTTP server was unable to load ISAPI application: C:\IntPub\Scripts\.%5c\Admin.dll Event ID:19 Anybody know what that means? Thanks... -Mike =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:32 PDT