Help with Nimda.E?

From: Matt Beck (Mbeckat_private)
Date: Wed Oct 31 2001 - 11:29:34 PST

  • Next message: Kinsey, Robert: "RE: Nimda.E having an impact ??"

    Hello all,
    I haven't determined how yet, but one system on my dmz was unpatched.  Of
    course, it got hit by Nimda.e.  This new variant is now propagating like mad
    through the shares.
    Given the nature of the environment, I am having trouble containing and
    removing it.  Any suggestions?  I have 50+ NT/2k servers on the dmz LAN.
    There is a master domain that all other domains trust.  Servers in each
    domain require shares to function.  Permissions are highly entangled.  All
    servers (but one apparently) are patched against the IIS vulnerability, but
    the shares remain open.
    I have tried Symantec's new scanner and the web A/V tool at,
    but neither seem to get it all.  As soon as someone logs in to the "clean"
    box, snort detects outbound attacks.  I am shutting down all non-essential
    systems, but some are going to have to keep running.
    Please contact me off list for more details or on list with solutions.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 12:39:35 PST