RE: New "concept" virus/worm?

From: Christian Hampson (champsonat_private)
Date: Tue Sep 18 2001 - 11:29:09 PDT

Next message: Chip McClure: "Re: New worm segfaults apache"

Previous message: Peter Kruse: "SV: New worm behavior ?"
Next in thread: Tina Bird: "RE: New "concept" virus/worm?"
Next in thread: Joseph P Frazee: "RE: New "concept" virus/worm?"
Reply: Tina Bird: "RE: New "concept" virus/worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please forgive the cross-post.

I am at a client site.  Win2k without SP2 is infected.  NT4 without IIS
or an email client installed has not been affected.  Fortunately, that
is the server containing payroll.

If anyone has developed or heard of a removal tool, I would love to hear
about it.

So far, I have seen McAfee, Sophos, and F-Secure post definitions for
this virus.

Christian Hampson
champsonat_private

-----Original Message-----
From: Dave Salovesh [mailto:saloveshat_private] 
Sent: Tuesday, September 18, 2001 10:21
To: 'Brett Glass'; Jay D. Dyson; Incidents List
Cc: Vuln Dev
Subject: RE: New "concept" virus/worm?

It infects 98 (I've got it on the one 98 workstation we run) and may
have been involved in infecting two of NT4 servers.

I also have two UNinfected NT4 servers that are patched to about the
same level as the infected ones - not quite completely patched, but I
think I've selected all the appropriate ones for the role each server
plays.

My W2K server is patched up to the minute and didn't get infected.  So
far...

-- 
Dave Salovesh
RAM Associates, Inc.
(800) 543-3635

> -----Original Message-----
> From: Brett Glass [mailto:brettat_private]
> Sent: Tuesday, September 18, 2001 12:58 PM
> To: Jay D. Dyson; Incidents List
> Cc: Vuln Dev
> Subject: Re: New "concept" virus/worm?
> 
> 
> At 10:21 AM 9/18/2001, Jay D. Dyson wrote:
> 
> >        It's a two-prong worm.  It appears to be primarily
> disseminated
> >via e-mail, and then launches its attacks on web hosts upon
> successful
> >infection.
> 
> Newsbytes is calling this worm "Code Rainbow," while some of
> the antivirus
> firms seem to be calling it "W32.Nimda.A@mm".
> 
> Can the e-mail infect anything other than Windows NT/2000?
> Will it infect
> a system that's running Windows NT/2000 but not IIS? If a 
> Windows 95/98/ME 
> user opens it, will his or her system begin to spread the 
> worm as well?
> 
> --Brett Glass
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service. For 
> more information on this free incident handling, management and 
> tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chip McClure: "Re: New worm segfaults apache"
Previous message: Peter Kruse: "SV: New worm behavior ?"
Next in thread: Tina Bird: "RE: New "concept" virus/worm?"
Next in thread: Joseph P Frazee: "RE: New "concept" virus/worm?"
Reply: Tina Bird: "RE: New "concept" virus/worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:49:04 PDT