http://vil.mcafee.com/dispVirus.asp?virus_k=99209& -----Original Message----- From: Tom Buoniello [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: Exchange Discussions Subject: RE: New Virus / Worm ?? We just sent the following to all our customers. Tom Buoniello Sybari Software, Inc. [EMAIL PROTECTED] Virus Alert: "W32/Nimda.A@mm" Is this a Virus that uses E-mail?: yes Virus Name: ------------------- W32/Nimda.A@mm Alias: ------------------- W32/Nimda-A W32/Nimda-mm E-mail Subject: ------------------- None E-mail Body: ------------------- None E-mail Attachments: ------------------- README.EXE Description: ------------------- This worm will enter a computer in one out of possibly two ways - it will either be received as an email with an attachment, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), through a security hole known as a "directory traversal exploit". When the file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup. At the Present time a Filter Rule for : Readme.exe (all types) will remove this from your email server We will be releasing AV Engine Updates when they are made available. Thank You, Sybari Software, Inc. More Info: ------------------- http://www.sybari.com/alerts List Maintenance: ------------------- http://www.sybari.com/support/support_list.asp -----Original Message----- From: Monteleone-Haught Matt - Millville [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:28 PM To: Exchange Discussions Subject: RE: New Virus / Worm ?? I got the same message. Scanmail ripped off the attachment, because I block all EXE files. Matthew Exchange Disaster Recovery, Live it, Learn It, Love It, Get yours today! http://www.microsoft.com/TechNet/exchange/technote/edrv3p1.asp "Besides the technical limitations on the PST (remember the P stands for Personal, that means you're responsible not the mail admin)..." Jim Schwartz 8-16-01 >>>-----Original Message----- >>>From: John Matteson [mailto:[EMAIL PROTECTED]] >>>Sent: Tuesday, September 18, 2001 11:32 AM >>>To: Exchange Discussions >>>Subject: New Virus / Worm ?? >>> >>> >>>I received an E-mail from a person that I didn't know this >>>morning, and the >>>subject line was a lot of nonsense characters. >>>Using Outlook 2000 I highlighted it and it kicked off the >>>attachment, which >>>opened Media Player and tried to play a file, but got a >>>content error. >>> >>>Here is the header from the message as it was received. >>>Anyone have any >>>ideas about this? >>> >>>=================== >>>Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by >>>mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service >>>Version >>>5.5.2653.13) >>> id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400 >>>From: [EMAIL PROTECTED] >>>To: >>>Subject: >>>Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsn >>>otebootodco0407 >>>logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllod >>>co040clogv0404o >>>dco040cbebsdulogv0412odco0407 >>>MIME-Version: 1.0 >>>Content-Type: multipart/related; >>> type="multipart/alternative"; >>> boundary="====_ABC1234567890DEF_====" >>>X-Priority: 3 >>>X-MSMail-Priority: Normal >>>X-Unsent: 1 >>> >>>--====_ABC1234567890DEF_==== >>>Content-Type: multipart/alternative; >>> boundary="====_ABC0987654321DEF_====" >>> >>>--====_ABC0987654321DEF_==== >>>Content-Type: text/html; >>> charset="iso-8859-1" >>>Content-Transfer-Encoding: quoted-printable >>> >>>--====_ABC0987654321DEF_====-- >>> >>>--====_ABC1234567890DEF_==== >>>Content-Type: audio/x-wav; >>> name="readme.exe" >>>Content-Transfer-Encoding: base64 >>>Content-ID: <EA4DMGBP9p> >>> >>>John Matteson; Exchange Manager >>>Geac Corporate Infrastructure Systems and Standards >>>(404) 239 - 2981 >>> >>>...the words that I remember from my childhood still are >>>true, that there >>>are none so blind as those who will not see.... >>>--The Moody Blues (I know you're out there) >>> >>> >>>_________________________________________________________________ >>>List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>Archives: http://www.swynk.com/sitesearch/search.asp >>>To unsubscribe: mailto:[EMAIL PROTECTED] >>>Exchange List admin: [EMAIL PROTECTED] >>> _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]