Got this from Peter Kruse who pointed me to http://www.norman.no/
- thanks!
The worm W32/Nimda.A@mm is spreading very
fast. It may arrive as an email with the following charteristics:
Subject: None
Body: None
Attachment name: README.EXE
This worm may enter a computer in several ways - it will either be received as
an email with an attachment, over open shared drives in networks, and it seems
that it will also attempt to break into machines running the web server
software IIS (Internet Information Server), utilizing various security holes
well known . All IIS web server admins are encouraged to patch up their web
server to protect themselves. An accumulative patch for IIS servers is
available from: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
When the infected file is run, it will copy itself to the system directory as a
hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so
that it is run from startup.
It may not remove everything – but it may
stop it long enough to see what damage was done.
Steve Clark
Clark Systems Support, LLC
www.clarksupport.com
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
|