Good Afternoon, I know there's a lot going on everywhere, and you might already have something like this (I know most AV Vendors have them, but they are all a bit different.) AV Sites around the world are coming out with tools to fix and remove it. I dislike those tools, because they require that you completely trust the AV Vendor caught everything. I sat down and went over everything this one does, based on live samples we caught and tested, as well as data from the various mailing lists, and a few contributions from other sources. I hope I've got it all down now. We set this one off over a dozen times in a controlled environment. Since the infections began only a few copies of NIMDA have ACTUALLY been set off here, they were set off and contained in under 5 minutes. Those infections were early in the day Tuesday, before our defenses and administrators were fully brought to bear, before our users were properly alerted. These instructions have been tested against infected systems and appear to be pretty complete. There are aspects of this virus that DO NOT HAPPEN on every machine, it's a bit fluky, sometimes crashing before it finishes it's intrusion, sometimes not. Unix systems are my thing, not windows, but I think I got everything. I hope that they can be of some help. - Jeffrey Isherwood... _____ Jeffrey.Isherwoodat_private - Senior Security Engineer-UNIX Sys AFRL\IFOSS Security Awareness Training and Education (SATE) MANAGER Comm:(315) 330-7246 DSN: 587-7246 You lock up your Car and your House... Why not your workstation...?
This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 11:46:56 PDT