RE: New Virus Alert
Title: Message Why? Is their Exchange Server having issues? -Original Message-From: Greg Page [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 19, 2001 6:35 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Probably out at the Mustang Ranch. I would be there giving the circumstances. Greg -Original Message-From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:34 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Was beginning to wonder if you took the day off? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message-From: Lefkovics, William [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:31 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Well, that's a little personal Stephen. CAI claims the viruspattern files I updated this morning before the attack takes care of it! bigassumption Well... it seems we know who wrote it, then... /bigassumption If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. It seems many are still up trying to determine that 100% deleting load.exe I've learned it not usually prudent to lose your load on a computer. Good luck. Thank you. You as well. -Original Message-From: Stephen J. Norton [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 8:28 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:07 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS.From: "Zangara, Jim" [EMAIL PROTECTED]Reply-To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]Subject: RE: New Virus AlertDate: Tue, 18 Sep 2001 10:47:03 -0700W32/Nimda.A@mm - just came in from antigen.Virus Name:---W32/Nimda.A@mmAlias:---W32/Nimda-AW32/Nimda-mmE-mail Subject:---NoneE-mail Body:---NoneE-mail Attachments:---README.EXEDescription:---This worm will enter a computer in one out of possibly two ways - it willeither be received as an email with an attachment, and it seems that it willalso attempt to break into machines running the web server software IIS(Internet Information Server), through a security hole known as a "directorytraversal exploit".When the file is run, it will copy itself to the system directory as ahidden file called LOAD.EXE. This file is called from the file SYSTEM.INI sothat it is run from startup.At the Present time a Filter Rule for : Readme.exe (all types) will removethis from your email serverWe will be releasing AV Engine Updates when they are made available.Thank You,Sybari Software, Inc.Jim Zangara, MCSE+ISpecial Projects EngineerPremiere Radio NetworksA Division of Clear Channel Communications15260 Ventura Blvd Suite 500Sherman Oaks, CA 91403Direct: (818) 461-8620mailto:[EMAIL PROTECTED]-Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 9:51 AMTo: MS-Exchange Admin IssuesSubject: Re: New Virus AlertDo you know the name of the virus? From: "Zangara, Jim" [EMAIL PROTECTED] Reply-To: "MS-Exchange Admin Issues"
RE: New Virus Alert
Symantec gives the following synopsis on what the virus does. There are some more details on the site regarding detection and removal that I did not copy over so I have provided the link at the beginning. Peter Dahl. http:[EMAIL PROTECTED] W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares. The worm uses the Unicode Web Traversal exploit. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. This .eml file also uses the aforementioned MIME exploit. Users can disable 'File Download' in their internet security zones to prevent compromise. Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges. -Original Message- From: Stephen J. Norton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:28 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the virus pattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message- From: Lance -a-lot [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:07 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS. From: Zangara, Jim [EMAIL PROTECTED] Reply-To: MS-Exchange Admin Issues [EMAIL PROTECTED] To: MS-Exchange Admin Issues [EMAIL PROTECTED] Subject: RE: New Virus Alert Date: Tue, 18 Sep 2001 10:47:03 -0700 W32/Nimda.A@mm - just came in from antigen. Virus Name: --- W32/Nimda.A@mm Alias: --- W32/Nimda-A W32/Nimda-mm E-mail Subject: --- None E-mail Body: --- None E-mail Attachments: --- README.EXE Description: --- This worm will enter a computer in one out of possibly two ways - it will either be received as an email with an attachment, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), through a security hole known as a directory traversal exploit. When the file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup. At the Present time a Filter Rule for : Readme.exe (all types) will remove this from your email server We will be releasing AV Engine Updates when they are made available. Thank You, Sybari Software, Inc. Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED] -Original Message- From: Lance -a-lot [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:51 AM To: MS-Exchange Admin Issues Subject: Re: New Virus Alert Do you know the name of the virus? From: Zangara, Jim [EMAIL PROTECTED] Reply-To: MS-Exchange Admin Issues [EMAIL PROTECTED] To: MS-Exchange Admin Issues [EMAIL PROTECTED] Subject: New Virus Alert Date: Tue, 18 Sep 2001 09:32:37 -0700 Hey folks we are getting nailed by this new virus - we had already blocked
RE: New Virus Alert
Title: Message Probably out at the Mustang Ranch. I would be there giving the circumstances. Greg -Original Message-From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:34 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Was beginning to wonder if you took the day off? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message-From: Lefkovics, William [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:31 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Well, that's a little personal Stephen. CAI claims the viruspattern files I updated this morning before the attack takes care of it! bigassumption Well... it seems we know who wrote it, then... /bigassumption If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. It seems many are still up trying to determine that 100% deleting load.exe I've learned it not usually prudent to lose your load on a computer. Good luck. Thank you. You as well. -Original Message-From: Stephen J. Norton [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 8:28 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:07 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS.From: "Zangara, Jim" [EMAIL PROTECTED]Reply-To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]Subject: RE: New Virus AlertDate: Tue, 18 Sep 2001 10:47:03 -0700W32/Nimda.A@mm - just came in from antigen.Virus Name:---W32/Nimda.A@mmAlias:---W32/Nimda-AW32/Nimda-mmE-mail Subject:---NoneE-mail Body:---NoneE-mail Attachments:---README.EXEDescription:---This worm will enter a computer in one out of possibly two ways - it willeither be received as an email with an attachment, and it seems that it willalso attempt to break into machines running the web server software IIS(Internet Information Server), through a security hole known as a "directorytraversal exploit".When the file is run, it will copy itself to the system directory as ahidden file called LOAD.EXE. This file is called from the file SYSTEM.INI sothat it is run from startup.At the Present time a Filter Rule for : Readme.exe (all types) will removethis from your email serverWe will be releasing AV Engine Updates when they are made available.Thank You,Sybari Software, Inc.Jim Zangara, MCSE+ISpecial Projects EngineerPremiere Radio NetworksA Division of Clear Channel Communications15260 Ventura Blvd Suite 500Sherman Oaks, CA 91403Direct: (818) 461-8620mailto:[EMAIL PROTECTED]-Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 9:51 AMTo: MS-Exchange Admin IssuesSubject: Re: New Virus AlertDo you know the name of the virus? From: "Zangara, Jim" [EMAIL PROTECTED] Reply-To: "MS-Exchange Admin Issues" [EMAIL PROTECTED] To: "MS-Exchange Admin Issues" [EMAIL PROTECTED] Subject: New Virus Alert Date: Tue, 18 Sep 2001 09:32:37 -0700 Hey folks we are getting nailed by this new virus - we had already
RE: New Virus Alert
Title: Message Panda sucks. I need Antigen. -Original Message-From: Arnold, Jamie [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 9:46 AMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert It's been hitting for hours. New worm, IIS exploit, very hard hitting..fast... Ck Securityfocus.com, Incidents. Jamie -Original Message-From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:33 PMTo: MS-Exchange Admin IssuesSubject: New Virus Alert Hey folks we are getting nailed by this new virus - we had already blocked the exe extension but there are two new extensions causing the windows media player to start - and share your C drive and propagate itself. We are now blocking the *.EML and *.NWS per Antigen. Just wanted to spread the word - not the virus :) Good luck. Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:21 AM To: Zangara, Jim Subject: Re: (ROB)RE: Antigen Jim, Here is a copy of what Sophios is saying in case you have not seen this yet: Name: W32/Nimda-A Type: W32 executable file virus Date: 18 September 2001 A virus identity file (IDE) which provides protection is available now from our website and will be incorporated into the November 2001 (3.51) release of Sophos Anti-Virus. Sophos has received many reports of this virus from the wild. Description: W32/Nimda-A is an email-aware virus that spreads using an attached filename of README.EXE. Sophos researchers are continuing to examine the virus and will be posting a more detailed description of the virus on the Sophos website once the analysis is complete. Use the file filter that I told you about earlier, README.EXE on all file types. Robert McCarthy Sybari Software, Inc. E-mail: [EMAIL PROTECTED] Phone: 631-630-8500 Option # 23 http://www.sybari.com Please respond to [EMAIL PROTECTED] List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: New Virus Alert
If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:07 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus AlertThanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS.From: "Zangara, Jim" [EMAIL PROTECTED]Reply-To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]Subject: RE: New Virus AlertDate: Tue, 18 Sep 2001 10:47:03 -0700W32/Nimda.A@mm - just came in from antigen.Virus Name:---W32/Nimda.A@mmAlias:---W32/Nimda-AW32/Nimda-mmE-mail Subject:---NoneE-mail Body:---NoneE-mail Attachments:---README.EXEDescription:---This worm will enter a computer in one out of possibly two ways - it willeither be received as an email with an attachment, and it seems that it willalso attempt to break into machines running the web server software IIS(Internet Information Server), through a security hole known as a "directorytraversal exploit".When the file is run, it will copy itself to the system directory as ahidden file called LOAD.EXE. This file is called from the file SYSTEM.INI sothat it is run from startup.At the Present time a Filter Rule for : Readme.exe (all types) will removethis from your email serverWe will be releasing AV Engine Updates when they are made available.Thank You,Sybari Software, Inc.Jim Zangara, MCSE+ISpecial Projects EngineerPremiere Radio NetworksA Division of Clear Channel Communications15260 Ventura Blvd Suite 500Sherman Oaks, CA 91403Direct: (818) 461-8620mailto:[EMAIL PROTECTED]-Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 9:51 AMTo: MS-Exchange Admin IssuesSubject: Re: New Virus AlertDo you know the name of the virus? From: "Zangara, Jim" [EMAIL PROTECTED] Reply-To: "MS-Exchange Admin Issues" [EMAIL PROTECTED] To: "MS-Exchange Admin Issues" [EMAIL PROTECTED] Subject: New Virus Alert Date: Tue, 18 Sep 2001 09:32:37 -0700 Hey folks we are getting nailed by this new virus - we had already blocked the exe extension but there are two new extensions causing the windows media player to start - and share your C drive and propagate itself. We are now blocking the *.EML and *.NWS per Antigen. Just wanted to spread the word - not the virus :) Good luck. Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:21 AM To: Zangara, Jim Subject: Re: (ROB)RE: Antigen Jim, Here is a copy of what Sophios is saying in case you have not seen this yet: Name: W32/Nimda-A Type: W32 executable file virus Date: 18 September 2001 A virus identity file (IDE) which provides protection is available now from our website and will be incorporated into the November 2001 (3.51) release of Sophos Anti-Virus. Sophos has received many reports of this virus from the wild. Description: W32/Nimda-A is an email-aware virus that spreads using an attached filename of README.EXE. Sophos researchers are continuing to examine the virus and will be posting a more detailed description of the virus on the Sophos website once the analysis is complete. Use the file filter that I told you about earlier, README.EXE on all file types. Robert McCarthy Sybari Software, Inc. E-mail: [EMAIL PROTECTED] Phone: 631-630-8500 Option # 23 http://www.sybari.com Please respond to [EMAIL
RE: New Virus Alert
Was beginning to wonder if you took the day off? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Lefkovics, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:31 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Well, that's a little personal Stephen. CAI claims the viruspattern files I updated this morning before the attack takes care of it! bigassumption Well... it seems we know who wrote it, then... /bigassumption If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. It seems many are still up trying to determine that 100% deleting load.exe I've learned it not usually prudent to lose your load on a computer. Good luck. Thank you. You as well. -Original Message- From: Stephen J. Norton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:28 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message- From: Lance -a-lot [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:07 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS. From: Zangara, Jim [EMAIL PROTECTED] Reply-To: MS-Exchange Admin Issues [EMAIL PROTECTED] To: MS-Exchange Admin Issues [EMAIL PROTECTED] Subject: RE: New Virus Alert Date: Tue, 18 Sep 2001 10:47:03 -0700 W32/Nimda.A@mm - just came in from antigen. Virus Name: --- W32/Nimda.A@mm Alias: --- W32/Nimda-A W32/Nimda-mm E-mail Subject: --- None E-mail Body: --- None E-mail Attachments: --- README.EXE Description: --- This worm will enter a computer in one out of possibly two ways - it will either be received as an email with an attachment, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), through a security hole known as a directory traversal exploit. When the file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup. At the Present time a Filter Rule for : Readme.exe (all types) will remove this from your email server We will be releasing AV Engine Updates when they are made available. Thank You, Sybari Software, Inc. Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED] -Original Message- From: Lance -a-lot [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:51 AM To: MS-Exchange Admin Issues Subject: Re: New Virus Alert Do you know the name of the virus? From: Zangara, Jim [EMAIL PROTECTED] Reply-To: MS-Exchange Admin Issues [EMAIL PROTECTED] To: MS-Exchange Admin Issues [EMAIL PROTECTED] Subject: New Virus Alert Date: Tue, 18 Sep 2001 09:32:37 -0700 Hey folks we are getting nailed by this new virus - we had already blocked the exe extension but there are two new extensions causing the windows media player to start - and share your C drive and propagate itself. We are now blocking the *.EML and *.NWS per Antigen. Just wanted to spread the word - not the virus :) Good luck. Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL
RE: New Virus Alert
Our ISP apparently has many an IIS server yet to be patched from October of 2000. The inbound and outbound traffic toasted our connection. We had a trickling of inbound emails and that is all. No successful HTTP browsing (read: not able to research this worm thingie). Outbound emails sat in the IMS queues. Then we had someone internally [1]get the readme.exe possibly from Hotmail? 12,500 *.eml filesand 1750 *.dll'slater [1] an associated company Otherwise perfectly alright, given the circumstances. You probably weren't asking, but that's the scoop, nonetheless. William -Original Message-From: Clark, Steve [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 8:34 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Was beginning to wonder if you took the day off? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message-From: Lefkovics, William [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:31 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Well, that's a little personal Stephen. CAI claims the viruspattern files I updated this morning before the attack takes care of it! bigassumption Well... it seems we know who wrote it, then... /bigassumption If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. It seems many are still up trying to determine that 100% deleting load.exe I've learned it not usually prudent to lose your load on a computer. Good luck. Thank you. You as well. -Original Message-From: Stephen J. Norton [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 8:28 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:07 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: New Virus Alert
Always nice to hear someone elses pain. Makes my day a little better. Amazing that regardless of explaining the whole hotmail/ yahoo threat people still do it and then sound AMAZED when you explain it, again. Have a happy. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Lefkovics, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:37 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Our ISP apparently has many an IIS server yet to be patched from October of 2000. The inbound and outbound traffic toasted our connection. We had a trickling of inbound emails and that is all. No successful HTTP browsing (read: not able to research this worm thingie). Outbound emails sat in the IMS queues. Then we had someone internally [1]get the readme.exe possibly from Hotmail? 12,500 *.eml filesand 1750 *.dll'slater [1] an associated company Otherwise perfectly alright, given the circumstances. You probably weren't asking, but that's the scoop, nonetheless. William -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:34 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Was beginning to wonder if you took the day off? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Lefkovics, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:31 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Well, that's a little personal Stephen. CAI claims the viruspattern files I updated this morning before the attack takes care of it! bigassumption Well... it seems we know who wrote it, then... /bigassumption If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. It seems many are still up trying to determine that 100% deleting load.exe I've learned it not usually prudent to lose your load on a computer. Good luck. Thank you. You as well. -Original Message- From: Stephen J. Norton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:28 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message- From: Lance -a-lot [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 11:07 PM To: MS-Exchange Admin Issues Subject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: New Virus Alert
NAI again has another DAT file. I don't think anyone knows what this thing really does yet Thank god for mailsweeper for smtp, and blocking exe's! -Original Message-From: Clark, Steve [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:42 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Always nice to hear someone elses pain. Makes my day a little better. Amazing that regardless of explaining the whole hotmail/ yahoo threat people still do it and then sound AMAZED when you explain it, again. Have a happy. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message-From: Lefkovics, William [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:37 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Our ISP apparently has many an IIS server yet to be patched from October of 2000. The inbound and outbound traffic toasted our connection. We had a trickling of inbound emails and that is all. No successful HTTP browsing (read: not able to research this worm thingie). Outbound emails sat in the IMS queues. Then we had someone internally [1]get the readme.exe possibly from Hotmail? 12,500 *.eml filesand 1750 *.dll'slater [1] an associated company Otherwise perfectly alright, given the circumstances. You probably weren't asking, but that's the scoop, nonetheless. William -Original Message-From: Clark, Steve [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 8:34 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Was beginning to wonder if you took the day off? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message-From: Lefkovics, William [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:31 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Well, that's a little personal Stephen. CAI claims the viruspattern files I updated this morning before the attack takes care of it! bigassumption Well... it seems we know who wrote it, then... /bigassumption If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. It seems many are still up trying to determine that 100% deleting load.exe I've learned it not usually prudent to lose your load on a computer. Good luck. Thank you. You as well. -Original Message-From: Stephen J. Norton [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 8:28 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert If it's any consolation Lance, it's banging the hell out of me also. Seems to replicate richad20.dll and *.eml files on servers. I'm talking hundreds of thousands of the suckers. Worst is, CAI claims the viruspattern files I updated this morning before the attack takes care of it! Another load of horse manure form an already suspect company. If anyone knows exactly how this works, and I mean exactly, I'd sure like to know. Even with all workstations shut down, it still replicates itself on my PDC as fast as I can delete the dll and eml files. On infected workstations, repairing the sys.ini file and deleting load.exe from the \\windows\system directory does not help. On reboot, the sys.ini is modified again and the load.exe is back in place. Making the system.ini file read only seems to help. Good luck. Oh yeah-tried calling Computer Associates tech support for two hours today. Was kept in a holding pattern for 30 minutes and then disconnected. Nice people. -Original Message-From: Lance -a-lot [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:07 PMTo: MS-Exchange Admin IssuesSubject: RE: New Virus Alert Thanks. It's killing us. NAI seems to have numerous update, as well as, MS. Some get fixed, some don't. Half the network is down due this bad boy. Be careful with this one, especially software companies running IIS. List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
