RE: W32/Nimda.a@mm

From: Badruddoza, Abul (
Date: 09/19/01

Message-ID: <B8325123D072D411A1350010E3B9DA9528B9D5@RCREXCHANGE1>
From: "Badruddoza, Abul" <>
To: "'Paladino, Scott'" <>, "'Marc Fossi'" <>, Focus-MS <>
Subject: RE: W32/Nimda.a@mm
Date: Tue, 18 Sep 2001 21:12:39 -0400

I haven't heard of any problem with IIS cumulative patch. It's small and
painless. However, Read;EN-US;Q305228
before applying Windows NT 4.0 Security Rollup Package

-----Original Message-----
From: Paladino, Scott []
Sent: Tuesday, September 18, 2001 3:02 PM
To: 'Marc Fossi'; Focus-MS
Subject: RE: W32/Nimda.a@mm

Has anyone heard of crashes related to MS01-044 that might be caused by old
BIOS rev's ?

-----Original Message-----
From: Marc Fossi []
Sent: Tuesday, September 18, 2001 1:47 PM
To: Focus-MS
Subject: W32/Nimda.a@mm

If you haven't already, install the IIS August 15 cumulative patch NOW!!
This worm seems to exploit the same vulnerabilities as CodeRed II and
possibly sadmind/IIS. Secure your FrontPage server extensions and your
MDAC as well while you're at it.

The downtime from doing a reboot to install the patch is way less than the
downtime due to infection. If you are infected (check for presence of
admin.dll modified today 09/18/01 and cmd.exe anywhere in your webroot)
unplug your box from the Internet. We don't have a disinfection procedure
written yet, but it's on the way. I'll post it here when we have it.

Some AV vendors appear to have definitions for this worm, so update your
definitions. Those of you who think that blocking .exe attachments from
email should be aware that I have seen a web page that will execute this
worm (it exploits a vulnerability in IE, not Outlook).

IIS August 15 Cumulative patch
IIS 4.0

IIS 5.0

There is probably more to it, but if you follow all these steps:

IIS 5.0

IIS 4.0

you should be ok.

This patch will protect your desktops from the actual readme.exe file
for IE 5.01sp1 and 5.5.

Marc Fossi, MCSE