Re: RDRIV Virus

phpwebpages_at_yahoo.ca
Date: 05/06/05

• Next message: Luddite: "killing downloader yk/yn files"
• Previous message: Richard Urban: "Re: wuauclt"
• In reply to: David H. Lipman: "Re: RDRIV Virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 6 May 2005 10:15:51 -0700

This is the W32.Spybot.NLX worm. It is a worm that has distributed
denial of service and back door capabilities for about a month now on
many servers worldwide.

I had the same problem. This infection is targeted, from my
understanding, at pcs like mine that run mail servers, DNS, FTP, Web,
and so on. Servers with these types of programs running that do not
have proper protection are certainly at risk. Visit Windows Update and
be sure to get all of the critical security updates, likely over 50
after a clean install of XP. I formated this week and had this problem
now after the reinstall of XP. I have just installed a firewall and as
mentioned above, did all of the Windows Security Updates. I also
scanned my server and found 1 infected file, which was rdriv.sys in the
system32 folder. I could not 'fix', quarantine or delete this file in
normal mode. After removal in safe mode and removing some registry
values, the problem has been solved.

--------------

Visit
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.nlx.html
for more information on this worm.

--------------

The biggest pain in the ass about this infection is that it uses all
the resources on the machine and renders it not usable for anything. It
will stop the user from basic use on the machine like browsing folders
in Explorer, making changes in the control panel, or even simple tasks
like opening a document or clicking the start menu. This bug is
nasty...be careful.

Be sure to do updates, be sure to have a firewall...and all should be
fine...

- Derek Bond

---

• Next message: Luddite: "killing downloader yk/yn files"
• Previous message: Richard Urban: "Re: wuauclt"
• In reply to: David H. Lipman: "Re: RDRIV Virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages MS tool to disinfect Code Red II ... on the list the appropriate solution to a Code Red II infection is ... NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM. ... WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER ... MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS ... (Incidents) RE: virus or hack? ... Subject: virus or hack? ... From what I've read, these are files dropped by the sadmind worm, a Solaris ... patched servers this afternoon. ... Can anybody confirm a method to prevent infection? ... (Focus-Microsoft) Re: Windows Security Update ... on the Windows Update site a _month_ before the worm made its first ... > I have just read there are more Windows Security Updates ... > computer infection. ... (microsoft.public.windowsxp.security_admin) Nimda Worm Alert - What Ive done so far. ... Download/Install URL Scan for www servers. ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ... (Focus-Microsoft) Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22] ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)