RE: New "concept" virus/worm?

From: Dave Salovesh (salovesh@ramassociates.com)
Date: 09/18/01 

Message-ID: <887F9D149D25D211B34500A0C986EB3E275239@ramassociates.com>
From: Dave Salovesh <salovesh@ramassociates.com>
To: 'Brett Glass' <brett@lariat.org>, "Jay D. Dyson" <jdyson@treachery.net>, Incidents List <incidents@securityfocus.com>
Subject: RE: New "concept" virus/worm?
Date: Tue, 18 Sep 2001 13:21:13 -0400

It infects 98 (I've got it on the one 98 workstation we run) and may have
been involved in infecting two of NT4 servers.

I also have two UNinfected NT4 servers that are patched to about the same
level as the infected ones - not quite completely patched, but I think I've
selected all the appropriate ones for the role each server plays.

My W2K server is patched up to the minute and didn't get infected. So
far... 

-- 
Dave Salovesh
RAM Associates, Inc.
(800) 543-3635

> -----Original Message-----
> From: Brett Glass [mailto:brett@lariat.org]
> Sent: Tuesday, September 18, 2001 12:58 PM
> To: Jay D. Dyson; Incidents List
> Cc: Vuln Dev
> Subject: Re: New "concept" virus/worm?
> 
> 
> At 10:21 AM 9/18/2001, Jay D. Dyson wrote:
> 
> >        It's a two-prong worm.  It appears to be primarily 
> disseminated
> >via e-mail, and then launches its attacks on web hosts upon 
> successful
> >infection.
> 
> Newsbytes is calling this worm "Code Rainbow," while some of 
> the antivirus
> firms seem to be calling it "W32.Nimda.A@mm".
> 
> Can the e-mail infect anything other than Windows NT/2000? 
> Will it infect
> a system that's running Windows NT/2000 but not IIS? If a 
> Windows 95/98/ME 
> user opens it, will his or her system begin to spread the 
> worm as well?
> 
> --Brett Glass
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
>

Relevant Pages

  • lsass.exe error
    ... The worm locates the Windows ... Blaster worm infect your computer ... Retrieves the IP addresses of the infected computer, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: WORM
    ... A worm, would never infect a computer owned by a person ... >> I believe it comes from Windows. ... >I do not use outlook or outlook express for email any ...
    (microsoft.public.security.virus)
  • Full description from f-secure
    ... This worm was found on September 18th, ... If affects Windows 95, Windows 98, ... Nimda is the first worm to modify existing web sites to start offering ... Nimda uses the Unicode exploit to infect IIS web servers. ...
    (NT-Bugtraq)
  • Re: New "concept" virus/worm?
    ... Newsbytes is calling this worm "Code Rainbow," while some of the antivirus ... Can the e-mail infect anything other than Windows NT/2000? ...
    (Incidents)
  • Re: New "concept" virus/worm?
    ... Newsbytes is calling this worm "Code Rainbow," while some of the antivirus ... Can the e-mail infect anything other than Windows NT/2000? ...
    (Vuln-Dev)