Re: [IMail Forum] New widespread virus: W32/Nimda-A; arrives with readme.exeattachment

Wed, 19 Sep 2001 12:20:19 -0700 

2 of our our IIS web servers got caught with it - here's what we found.....

the virus places itself on the server in the winnt directory masquerading as
the MS Management Console file of mmc.exe (of course, the real mmc.exe file
should actually reside in the system32 directory) running under the IUSER
account.  once discovered, it was easy to deny permissions for that file,
and then clean up the damage......

we had to take server off line to clean up, but that only took about 10
minutes with a text editor find/replace tool....

Randy Armbrecht
Global Web Solutions, Inc.
(804) 346.5300
(877) 800.GLOBAL (4562)
http://globalweb.net




----- Original Message -----
From: "Desale Beyne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 1:42 AM
Subject: RE: [IMail Forum] New widespread virus: W32/Nimda-A; arrives with
readme.exeattachment


> Scott:
> I have a server that is infected with NIMDA virus. The server sycles
> between launchpad and Dr..Watson indicating that explorer has caused an
> error. This happens until it runs out of memory. Is there any thing I can
do
> to stop it?
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
> Sent: Tuesday, September 18, 2001 5:39 PM
> To: [EMAIL PROTECTED]
> Subject: [IMail Forum] New widespread virus: W32/Nimda-A; arrives with
> readme.exeattachment
>
>
> FYI, Sophos has just alerted us to a new virus that is apparently
spreading
> very quickly, called W32/Nimda-A.  Not much information is available
> yet.  Apparently, it uses an attachment called "readme.exe".
>
>                                                     -Scott
> ---
> Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
> IMail.  http://www.declude.com
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>


Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to