Exactly. Antivirus and Intrusion Detection are reactive defenses. A variant has to be in the wild and identified, then the signature file updated before you are protected, but if you patch, then the vulnerability is gone for all variant exploits.
I just wish Microsoft's release process were better so I felt more comfortable advising people to implement ALL MS security patches. (For relevant services anyway. On developer desktops I install ALL patches because they install services outside of my Change Management processes. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Martin Blackstone Sent: Sunday, March 10, 2002 1:44 PM To: NT 2000 Discussions Subject: RE: Infected W2K Server Patch baby, PATCH!!! That's the only safe way to go. Do not depend on anything else to save you. HFNetcheck to verify -----Original Message----- From: Gregory Toland [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 10, 2002 10:33 AM To: NT 2000 Discussions Subject: RE: Infected W2K Server Thanks for the suggestion. I spent all day Yesterday reformatting my machine. Of course, I still don't know how it got through. I had Zonealarm and Norton AntiVirus running. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alexander Kha Do Sent: Thursday, February 28, 2002 12:11 PM To: NT 2000 Discussions Subject: RE: Infected W2K Server Reformat the machine. I'M NOT KIDDING. The recommended way to recover from a Nimda comprimise is to reformat reinstall. Once Nimda has infected IIS, it will most likely have infected your mmc.exe, riched20.dll, and a whole lot of other stuff. Guest is most likely now an administrator of your box. Look at your shared drives - you'll notice they are open with full write to all network users. You were most likely infected because you did not code-red patch your IIS. Nimda initiated a malformed tftp request and sent the admin.dll file into some dir on your webserver. Then your webserver infected your whole computer. Disconnect it from the network immediately. It is scanning the local network for open shares and spitting out those eml files like crazy. Sorry, but you're pretty much screwed. If the data is important, pull the hard drive out and put it in another computer that has the latest and greatest in virus protection. http://www.cert.org/advisories/CA-2001-26.html -----Original Message----- From: Gregory J Toland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 6:34 PM To: NT 2000 Discussions Cc: Gregory John Toland Subject: Infected W2K Server I went on travel this past weekend only to return and find my computer was infected with three types of Nimda viruses. Specifically, they are 1. W32.Nimda.A@mm (dll) virus. 2. W32.Nimda.E@mm (dr) virus. 3. W32.Nimda.A@mm (dr) virus. 42 files were infected. 18 files were in C:\Inetpub\scripts\ and were all named like... C:\Inetpub\scripts\TFTP860 C:\Inetpub\scripts\TFTP952 I have no idea where these files came from. 18 other files came from C:\WINNT\Temp\ and were all named like... C:\WINNT\Temp\mep914.tmp.exe C:\WINNT\Temp\mep916.tmp.exe Again, I have no idea where these came from. Finally, four files that I would have thought would have been installed in a different directory were... C:\Admin.dll C:\httpodbc.dll D:\Admin.dll D:\httpodbc.dll Norton Antivirus could not repair them. They have all been quarantined. What happened? I was going to anyways uninstall IIS5 from the C: drive and install it on the D: drive. Will this fix any potential problems my computer may have down the road. Is this false reporting on Norton's part? Please enlighten me! :) Gregory J Toland Sr. Systems Architect XWare Systems Inc. 1643 South Tenth Street Arlington, VA 22204 (703) 979-8378 (Office) (703) 655-5766 (Mobile) [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
