Re: Question regarding attack

From: David Feustel (
Date: 02/04/02

From: "David Feustel" <>
To: <>, <>
Date: Mon, 4 Feb 2002 11:12:59 -0500

I recently experienced the exact same logon behavior after logging off and
immediately attempting
to log on again as administrator. For reasons I won't go into here, I
immediately rebooted the system
in safe mode and selected last known good configuration. When the system
came up I was again able
to log in as administrator. This was on Windows XP however. I run standalone
(not part of a domain)
on a cable modem.

----- Original Message -----
From: <>
To: <>
Sent: Friday, February 01, 2002 6:14 PM
Subject: Question regarding attack

> A couple of our Windows 2000/NT machines were attacked overnight recently.
A user attempting to log on to the machine reported that they entered their
password, clicked enter, and the logon screen reappeared. When we rebooted
the machine, we found that a large number of files, including the ntoskrnl
file had been deleted, along with basically all executables in the Winnt
directory, event logs, and web logs also appear to have been deleted.
> We haven't been able to identify any trojans as living on the machines,
although, because the log files have been deleted, we're having some
difficulty tracking down how the attack was executed. Does anyone recognize
this as any sort of "signature" for a particular virus or worm?
> Thanks
> GP