TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

It is probably related to the new worm nimda which is admin spelled
backwards.
frank

Hi Everyone,

This is not exactly an ISS product-related question, so I apologize in
advance if this is out of the scope of the forum. However, I was wondering
if any of you had encountered a virus with the following characteristics
(or
similar), and, if so, if you know of a fix. This was reported to me as
appearing on a Windows 2000 machine, running IIS, today.

The virus apparently:

 - Creates a file "admin.dll" in the root directory
 - Makes Registry changes to add or attach this "admin.dll" to Explorer,
such that it runs automatically
 - Adds the Guest account to the Administrators group
 - Starts up multiple TFTP processes (to several sites) in the background
 - Creates files named "tftp#", also in the root directory
 - Maybe more?

I have not been able to find anything about this via McAfee,
Symantec/Norton, CAI, F-Secure, Kapersky or Sophos. Cheyenne's A/V product
also did not catch it. It has some similarities to Code Blue, so it may be
a variant - who knows?. Any information would be helpful.

Thanks in advance!

Roy Wilkinson
Manager of Security
> WebTone Technologies
Phone & Fax: (404) 439-8238
Visit our website! http://www.webtonetech.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]