RE: plugin that will detect servers infected w/ Nimda worm

From: Matt Moore (mattat_private)
Date: Wed Sep 19 2001 - 03:16:28 PDT

  • Next message: Alan Pitts: "Re: plugin that will detect servers infected w/ Nimda worm"

    hello List,
    
    I've just seen one description of the worm which states:
    
    'Virus code in stealth executable file with name tftp###, where ### is
    any numeric string.  File has no extension, but it is definitely a
    Windows executable.  This file is placed into \Program Files\Common
    Files\System\MSADC, and in same directory, Admin.dll appears to be
    hacked.'
    
    Anyone confirm this behaviour, specifically that it puts a file called
    'Admin.dll' in the MSADC folder (which is usually mapped to /msadc on the
    web server)?
    
    Obviously testing for the presence of the tftp file isn't feasible as it has
    a random numeric string on the end of the filename, but the plugin could be
    updated to also test for /msadc/Admin.dll if this is accurate...
    
    regards,
    
    Matt
    



    This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 03:16:15 PDT