From: International & Area Studies (iascss@uclink4.berkeley.edu)
Date: Wed Sep 19 2001 - 22:36:25 PDT
After updates are applied, is there anything else we should do? McAffee is
catching and deleting the Nimda virus on one of our servers. I did find
the root.exe on the same server. I used the Code Red cleanup utility to
erase it. It can be found at the following site...
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878
(If you do this, be sure and restart www publishing services afterwards)
Does this mean I should still rebuild the whole system?
Thanks for info.
BG
At 11:41 AM 9/19/01 -0700, Sherry M. Rogers wrote:
> ALERT: NIMDA Worm
>
>The "Nimda Worm" was released yesterday, September 18, and has spread
>aggressively through the Internet using multiple mechanisms. Its ultimate
>purpose seems to be to create an Internet-wide Denial of Service by
>consuming network bandwidth.
>
>When a host is infected, however, so many files are changed that it needs
>to be rebuilt from secure media (CD).
>
>Details about the Nimda Worm can be found at:
> http://www.cert.org/advisories/CA-2001-26.html or at
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
>
>
>=> The Nimda worm has the potential to affect both user workstations
> (clients) running Windows 95, 98, ME, NT, or 2000 and servers running
> Windows NT and 2000.
>
>=> It can spread:
>
> * from client to client via email
>
> * from client to client via open network shares
>
> * from web server to client via browsing of compromised web sites
>
> * from client to web server via active scanning for and exploitation
> of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
> (VU #111677)
>
> * from client to web server via scanning for the back doors left
> behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS"
> (CA-2001-11) worms
>
>
>=> Prevention Measures: End Users
>
> * update your virus software with latest code: see links below
>
> * do not open any unknown or unexpected email attachments,
> particularly anything entitled README.exe
>
> * do not use Internet Explorer (IE) to read email unless it has been
> patched (without the patch the attachment will automatically
> be run):
> http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
>
> * do not use Outlook Express to read email - it has been reported
> that it will automatically execute the code on preview
>
> * Disable JavaScript before browsing the Web
>
>
>=> Prevention Measures: System Administrators:
>
> * make sure all IIS maintenance has been applied:
> http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
>
> * apply patch for the IE vulnerability:
> http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
>
> * disconnect any infected machines immediately
>
> * to determine if your system has been compromised, look
> for the following:
>
> - root.exe artifact (indicates a compromise by Code Red II
> or sadmind/IIS worms making the system vulnerable to the Nimda
> worm)
>
> - admin.dll artifact or unexpected .eml files in the directories
> with web content (indicates compromise by the Nimda worm)
>
>
>Antivirus Vendor Information
>
> Central Command, Inc.
> http://support.centralcommand.com/cgi-bin/command.cfg/php/endus
> er/std_adp.php?p_refno=010918-000005
>
> Command Software Systems
> http://www.commandsoftware.com/virus/nimda.html
>
> Data Fellows Corp
> http://www.datafellows.com/v-descs/nimda.shtml
>
> McAfee
> http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
>
> Sophos
> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
>
> Symantec
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
>
> Trend Micro
> http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=
> TROJ_NIMDA.A
>
> http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.
> asp?VName=TROJ_NIMDA.A
>
> You may wish to visit the CERT/CC's computer virus resources page
> located at
>
> http://www.cert.org/other_sources/viruses.html
>
>
>-System & Network Security
>
>-------------------------------------------------------------------------
>Sherry M. Rogers University of California, Berkeley
>System & Network Security phone (510)642-7157
>-------------------------------------------------------------------------
>
>
>
>
>
>
>
>
>
>
>------------------------------------------------------------------------
>The following was automatically added to this message by the list server:
>
>For information about Micronet, its meetings and events, and its
>mailing list, including information on subscribing and unsubscribing,
>see the Micronet Web site at <http://wss.berkeley.edu/micronet/>.
----------------------------------------------------------------------
Computing Support Services iascss@uclink.berkeley.edu
International and Area Studies voice: (510) 642-2522
University of California, Berkeley fax: (510) 642-9466
http://www.ias.berkeley.edu
----------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Wed Sep 19 2001 - 22:56:19 PDT