RE: plugin that will detect servers infected w/ Nimda worm

From: Matt Moore (mattat_private)
Date: Wed Sep 19 2001 - 03:16:28 PDT

Next message: Alan Pitts: "Re: plugin that will detect servers infected w/ Nimda worm"

Previous message: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
In reply to: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Next in thread: Alan Pitts: "Re: plugin that will detect servers infected w/ Nimda worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hello List,

I've just seen one description of the worm which states:

'Virus code in stealth executable file with name tftp###, where ### is
any numeric string.  File has no extension, but it is definitely a
Windows executable.  This file is placed into \Program Files\Common
Files\System\MSADC, and in same directory, Admin.dll appears to be
hacked.'

Anyone confirm this behaviour, specifically that it puts a file called
'Admin.dll' in the MSADC folder (which is usually mapped to /msadc on the
web server)?

Obviously testing for the presence of the tftp file isn't feasible as it has
a random numeric string on the end of the filename, but the plugin could be
updated to also test for /msadc/Admin.dll if this is accurate...

regards,

Matt

Next message: Alan Pitts: "Re: plugin that will detect servers infected w/ Nimda worm"
Previous message: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
In reply to: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Next in thread: Alan Pitts: "Re: plugin that will detect servers infected w/ Nimda worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 03:16:15 PDT