Re: [imail] Nimda Virus

Wed, 19 Sep 2001 09:57:38 -0700 

The server we had hit here was a Win2K server. I searched for all files
modified Tuesday morning, and the only files that came up were:

- index server catalogs (normal)
- .htm files modified with the javascript insertion
- hundreds of readme.eml files (we did not get any other .eml files
deposited other than readme.eml)
- admin.dll and mmc.dll. Our riched20.dll was not touched. Perhaps this is
why we did not get any exe file infection?

So much more going on with this bugger. If I am not mistaken, those on this
list who have had exe files modified by the virus (not simply new files
added) are all running NT4. Perhaps there is something in the way the virus
runs under NT4 that allows it do to this, where under Win2K it can't. Or it
could be how quickly the server was taken off line and cleaned. We noticed
this at 1030A ET yesterday. Immediately killed the roague tftp.exe
processes, locked that file down, got rid of admin.dll and mmc.dll,
rebooted, cleaned the .htm files and reapplied SP2. Perhaps it did not have
time to finish it's business. I don't know.

--
Scot


----- Original Message -----
From: "Guenther Koch (DND Internet Agentur)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 1:18 PM
Subject: re: [imail] Nimda Virus


> Hi,
>
> noone has infected .exe files? I had to check a partner-server that had
> hundreds of infected .exe files.
> There is no way to clean them as I know.
>
> Guenther
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>




______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists

Reply via email to