RE: New "concept" virus/worm?

From: Tina Bird (tbird@precision-guesswork.com)
Date: 09/18/01


Date: Tue, 18 Sep 2001 14:50:46 -0500 (CDT)
From: Tina Bird <tbird@precision-guesswork.com>
To: Christian Hampson <champson@hampsonservices.com>
Subject: RE: New "concept" virus/worm?
Message-ID: <Pine.LNX.4.10.10109181448570.24424-100000@kuspy.phsx.ukans.edu>

McAfee/NAI has a removal tool:

http://download.nai.com/products/mcafee-avert/nimda2.exe

On Tue, 18 Sep 2001, Christian Hampson wrote:

> Date: Tue, 18 Sep 2001 11:29:09 -0700
> From: Christian Hampson <champson@hampsonservices.com>
> To: incidents@securityfocus.com, focus-virus@securityfocus.com
> Subject: RE: New "concept" virus/worm?
>
> Please forgive the cross-post.
>
> I am at a client site. Win2k without SP2 is infected. NT4 without IIS
> or an email client installed has not been affected. Fortunately, that
> is the server containing payroll.
>
> If anyone has developed or heard of a removal tool, I would love to hear
> about it.
>
> So far, I have seen McAfee, Sophos, and F-Secure post definitions for
> this virus.
>
> Christian Hampson
> champson@hampsonservices.com
>
> -----Original Message-----
> From: Dave Salovesh [mailto:salovesh@ramassociates.com]
> Sent: Tuesday, September 18, 2001 10:21
> To: 'Brett Glass'; Jay D. Dyson; Incidents List
> Cc: Vuln Dev
> Subject: RE: New "concept" virus/worm?
>
>
> It infects 98 (I've got it on the one 98 workstation we run) and may
> have been involved in infecting two of NT4 servers.
>
> I also have two UNinfected NT4 servers that are patched to about the
> same level as the infected ones - not quite completely patched, but I
> think I've selected all the appropriate ones for the role each server
> plays.
>
> My W2K server is patched up to the minute and didn't get infected. So
> far...
>
>

LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com