Was
beginning to wonder if you took the day
off?
Steve
Clark
Clark
Systems Support, LLC
AVIEN
Charter Member
www.clarksupport.com
301-610-9584 voice
240-465-0323 Efax
-----Original
Message-----
From: Lefkovics,
William [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:31
PM
To: MS-Exchange Admin
Issues
Subject: RE: New Virus
Alert
>>If it's any
consolation Lance, it's banging the hell out of me also.
Well,
that's a little personal Stephen.
>>CAI claims
the virus pattern files I updated this morning before the attack takes
care of it!
<bigassumption>
Well...
it seems we know who wrote it, then...
</bigassumption>
>>If anyone
knows exactly how this works, and I mean exactly, I'd sure like to know.
It seems
many are still up trying to determine that 100%
>>deleting
load.exe
I've
learned it not usually prudent to lose your load on a
computer.
>>
Good luck.
Thank
you. You as well.
-----Original
Message-----
From: Stephen J.
Norton [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:28
PM
To: MS-Exchange Admin
Issues
Subject: RE: New Virus
Alert
If it's
any consolation Lance, it's banging the hell out of me also. Seems to
replicate richad20.dll and *.eml files on servers. I'm talking hundreds of
thousands of the suckers. Worst is, CAI claims the virus pattern files I
updated this morning before the attack takes care of it! Another load of horse
manure form an already suspect company. If anyone knows exactly how this
works, and I mean exactly, I'd sure like to know. Even with all workstations
shut down, it still replicates itself on my PDC as fast as I can delete the
dll and eml files. On infected workstations, repairing the sys.ini file and
deleting load.exe from the \\windows\system directory does not help.
On reboot, the sys.ini is modified again and the load.exe is back in place.
Making the system.ini file read only seems to help. Good
luck.
Oh
yeah-tried calling Computer Associates tech support for two hours today. Was
kept in a holding pattern for 30 minutes and then disconnected. Nice people.
-----Original
Message-----
From: Lance
-a-lot [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:07
PM
To: MS-Exchange Admin
Issues
Subject: RE: New Virus
Alert
Thanks. It's killing us. NAI seems to
have numerous update, as well as, MS.
Some get fixed, some don't. Half the
network is down due this bad boy. Be
careful with this one, especially
software companies running IIS.
>From: "Zangara, Jim" [EMAIL PROTECTED]
>Reply-To:
"MS-Exchange Admin Issues"
>[EMAIL PROTECTED]
>To:
"MS-Exchange Admin Issues" [EMAIL PROTECTED]
>Subject:
RE: New Virus Alert
>Date: Tue, 18 Sep 2001 10:47:03
-0700
>
>W32/Nimda.A@mm - just
came in from antigen.
>
>
>Virus
Name:
>-------------------
>W32/Nimda.A@mm
>
>
>Alias:
>-------------------
>W32/Nimda-A
>W32/Nimda-mm
>
>
>
>E-mail
Subject:
>-------------------
>None
>
>
>
>E-mail
Body:
>-------------------
>None
>
>
>E-mail
Attachments:
>-------------------
>README.EXE
>
>
>Description:
>-------------------
>This
worm will enter a computer in one out of possibly two ways - it
will
>either be received as an email with an attachment, and it seems
that it
>will
>also attempt to break into machines running the
web server software IIS
>(Internet Information Server), through a
security hole known as a
>"directory
>traversal
exploit".
>When the file is run, it will copy itself to the system
directory as a
>hidden file called LOAD.EXE. This file is called from
the file SYSTEM.INI
>so
>that it is run from
startup.
>
>
>At the Present time a Filter Rule for :
Readme.exe (all types) will remove
>this from your email
server
>
>We will be releasing AV Engine Updates when they are
made available.
>
>Thank You,
>
>Sybari Software,
Inc.
>
>
>Jim Zangara, MCSE+I
>Special Projects
Engineer
>Premiere Radio Networks
>A Division of Clear Channel
Communications
>15260 Ventura Blvd Suite 500
>Sherman Oaks, CA
91403
>Direct: (818) 461-8620
>mailto:[EMAIL PROTECTED]
>
>
>
>
>-----Original
Message-----
>From: Lance -a-lot [mailto:[EMAIL PROTECTED]]
>Sent:
Tuesday, September 18, 2001 9:51 AM
>To: MS-Exchange Admin
Issues
>Subject: Re: New Virus Alert
>
>
>Do you know
the name of the virus?
>
>
> >From: "Zangara, Jim" [EMAIL PROTECTED]
>
>Reply-To: "MS-Exchange Admin Issues"
> >[EMAIL PROTECTED]
>
>To: "MS-Exchange Admin Issues" [EMAIL PROTECTED]
>
>Subject: New Virus Alert
> >Date: Tue, 18 Sep 2001 09:32:37
-0700
> >
> >Hey folks we are getting nailed by this new
virus - we had already
> >blocked the exe extension but there are two
new extensions causing the
> >windows media player to start - and
share your C drive and propagate
> >itself. We are now blocking the
*.EML and *.NWS per Antigen.
> >
> >Just wanted to spread
the word - not the virus :)
> >
> >Good luck.
>
>
> >Jim Zangara, MCSE+I
> >Special Projects
Engineer
> >Premiere Radio Networks
> >A Division of Clear
Channel Communications
> >15260 Ventura Blvd Suite 500
>
>Sherman Oaks, CA 91403
> >Direct: (818) 461-8620
> >mailto:[EMAIL PROTECTED]
>
>
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>
>Sent: Tuesday, September 18, 2001 9:21 AM
> >To: Zangara,
Jim
> >Subject: Re: (ROB)RE: Antigen
> >
>
>
> >
> >Jim,
> >
> >Here is a copy of
what Sophios is saying in case you have not seen this
> >yet:
>
>
> >Name: W32/Nimda-A
> >Type: W32 executable file
virus
> >Date: 18 September 2001
> >
> >A virus
identity file (IDE) which provides protection is available now
>
>from our website and will be incorporated into the November 2001
(3.51)
> >release of Sophos Anti-Virus.
> >
>
>Sophos has received many reports of this virus from the wild.
>
>
> >Description:
> >
> >W32/Nimda-A is an
email-aware virus that spreads using an attached
> >filename of
README.EXE.
> >
> >Sophos researchers are continuing to
examine the virus and will be
> >posting
> >a
>
>more detailed description of the virus on the Sophos website once
the
> >analysis is complete.
> >
> >
>
>Use the file filter that I told you about earlier, README.EXE on
all
> >file types.
> >
> >Robert McCarthy
>
>Sybari Software, Inc.
> >E-mail: [EMAIL PROTECTED]
> >Phone:
631-630-8500 Option # 23
> >http://www.sybari.com
> >
>
>Please respond to [EMAIL PROTECTED]
> >
>
>
> >List Charter and FAQ at:
> >http://www.sunbelt-software.com/exchange_list_charter.htm
>
>
>
>
>_________________________________________________________________
>Get
your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
>List
Charter and FAQ at:
>http://www.sunbelt-software.com/exchange_list_charter.htm
>
>
>List
Charter and FAQ at:
>http://www.sunbelt-software.com/exchange_list_charter.htm
>
_________________________________________________________________
Get
your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
List
Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
List Charter
and FAQ
at:
http://www.sunbelt-software.com/exchange_list_charter.htm
List
Charter and FAQ
at:
http://www.sunbelt-software.com/exchange_list_charter.htm
List
Charter and FAQ
at: