Chris, I had the same issue, and I'm disinfecting a server that had the worm. The worm loads a trojan mmc.exe in C:\winnt. This trojan mmc.exe loads any time your system runs explorer.exe Also, you will note a ton of mep*.exe files in c:\winnt. These files are the worm's threads of execution and they modify all your html and asp files on your system to include this line: ----- Original Message ----- From: "Chris Thornberry" <chrisat_private> To: <incidentsat_private> Sent: Tuesday, September 18, 2001 3:32 PM Subject: Explorer Dr. Watsons > Has anyone been experiencing issues with Dr. Watson Application errors > in EXPLORER.EXE. Ever since this morning and the W32.Nimda.A@mm issue > some of my servers have had issues trying to run anything. > > Does anyone know of a relation between the two? > > Regards, > Chris > > -------------------------------------------- > Chris Thornberry MCSE, CCNA, A+ > Systems Engineer > Cameron & Associates, Inc. > E-mail: chrisat_private > -------------------------------------------- > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:08:28 PDT