RE: New Virus Alert

[Lefkovics, William]

Our ISP apparently has many an IIS server yet to be patched from October of 2000.   The inbound and outbound traffic toasted our connection.  We had a trickling of inbound emails and that is all.  No successful HTTP browsing (read: not able to research this worm thingie).  Outbound emails sat in the IMS queues.   Then we had someone internally [1] get the readme.exe possibly from Hotmail?  12,500 *.eml files and 1750 *.dll's later....   [1] an associated company   Otherwise.... perfectly alright, given the circumstances.   You probably weren't asking, but that's the scoop, nonetheless.   William   -----Original Message----- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:34 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Was beginning to wonder if you took the day off?   Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com           301-610-9584 voice           240-465-0323 Efax   -----Original Message----- From: Lefkovics, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:31 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert   >>If it's any consolation Lance, it's banging the hell out of me also.   Well, that's a little personal Stephen.   >>CAI claims the virus pattern files I updated this morning before the attack takes care of it!   <bigassumption> Well... it seems we know who wrote it, then... </bigassumption>   >>If anyone knows exactly how this works, and I mean exactly, I'd sure like to know.   It seems many are still up trying to determine that 100%   >>deleting load.exe   I've learned it not usually prudent to lose your load on a computer.   >> Good luck.   Thank you.  You as well.       -----Original Message----- From: Stephen J. Norton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:28 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the virus pattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -----Original Message----- From: Lance -a-lot [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:07 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm