RE: W32/Nimda.a@mm

From: Badruddoza, Abul (aab@Amtrak.com)
Date: 09/19/01


Message-ID: <B8325123D072D411A1350010E3B9DA9528B9D5@RCREXCHANGE1>
From: "Badruddoza, Abul" <aab@Amtrak.com>
To: "'Paladino, Scott'" <scott.paladino@eds.com>, "'Marc Fossi'" <mfossi@securityfocus.com>, Focus-MS <focus-ms@securityfocus.com>
Subject: RE: W32/Nimda.a@mm
Date: Tue, 18 Sep 2001 21:12:39 -0400

I haven't heard of any problem with IIS cumulative patch. It's small and
painless. However, Read
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q305228
before applying Windows NT 4.0 Security Rollup Package

-----Original Message-----
From: Paladino, Scott [mailto:scott.paladino@eds.com]
Sent: Tuesday, September 18, 2001 3:02 PM
To: 'Marc Fossi'; Focus-MS
Subject: RE: W32/Nimda.a@mm

Has anyone heard of crashes related to MS01-044 that might be caused by old
BIOS rev's ?

-----Original Message-----
From: Marc Fossi [mailto:mfossi@securityfocus.com]
Sent: Tuesday, September 18, 2001 1:47 PM
To: Focus-MS
Subject: W32/Nimda.a@mm

If you haven't already, install the IIS August 15 cumulative patch NOW!!
This worm seems to exploit the same vulnerabilities as CodeRed II and
possibly sadmind/IIS. Secure your FrontPage server extensions and your
MDAC as well while you're at it.

The downtime from doing a reboot to install the patch is way less than the
downtime due to infection. If you are infected (check for presence of
admin.dll modified today 09/18/01 and cmd.exe anywhere in your webroot)
unplug your box from the Internet. We don't have a disinfection procedure
written yet, but it's on the way. I'll post it here when we have it.

Some AV vendors appear to have definitions for this worm, so update your
definitions. Those of you who think that blocking .exe attachments from
email should be aware that I have seen a web page that will execute this
worm (it exploits a vulnerability in IE, not Outlook).

IIS August 15 Cumulative patch
IIS 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061

IIS 5.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011

There is probably more to it, but if you follow all these steps:

IIS 5.0
http://www.microsoft.com/technet/itsolutions/security/tools/iis5chk.asp

IIS 4.0
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp

you should be ok.

This patch will protect your desktops from the actual readme.exe file
attachment:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/download.asp
for IE 5.01sp1 and 5.5.

Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com



Relevant Pages

  • RE: W32/Nimda.a@mm
    ... I believe this to be part of this virus. ... install the IIS August 15 cumulative patch NOW!! ... Some AV vendors appear to have definitions for this worm, ...
    (Focus-Microsoft)
  • W32/Nimda.a@mm
    ... install the IIS August 15 cumulative patch NOW!! ... This worm seems to exploit the same vulnerabilities as CodeRed II and ... Some AV vendors appear to have definitions for this worm, ...
    (Focus-Microsoft)
  • RE: W32/Nimda.a@mm
    ... install the IIS August 15 cumulative patch NOW!! ... Some AV vendors appear to have definitions for this worm, ...
    (Focus-Microsoft)
  • RE: W32/Nimda.a@mm
    ... IIS Cumulative Patch ... any time you install anything new on the server which could ...
    (Focus-Microsoft)
  • RE: W3SVC, SMTP, IISAdmin services stopping..hacking?
    ... The cumulative patch is a just a cumulative patch for IIS. ... I'm not sure why you didn't see it with Hfnetchk or Windows Update. ...
    (microsoft.public.inetserver.iis.security)