-----BEGIN PGP SIGNED MESSAGE-----

Folks,

I'm just finishing up something that you'll be able to use to
remotely determine whether an NT/W2K machine has been infected with
Nimda.

The tool will be the HFNetChk utility which Microsoft released a
couple of months back (although you'll need to use the newest beta
version for it to work properly) and a customized XML file that I'll
host here at www.ntbugtraq.com.

This isn't intended to replace your anti-virus software, but since
many of you don't currently use AV on your servers, it may help in
diagnosing which machines you need to give immediate attention to and
which you can temporarily leave for later (every machine should be
thoroughly checked regardless of what this scan tells you).

I cannot guarantee that it will pick up all infected machines, but
with your help we can make it as effective as possible. Below is a
list of files and locations I'll be checking. A hit on any of them
will produce a warning that the system may be infected. You'd then
have to go and inspect the machine further to determine whether it is
or isn't infected. Since this is based on HFNetChk, you can check an
entire domain/subnet in a single command line.

Here's the list I'm checking. If you know of any files and/or
locations that are not included that represent a good indication the
machine is infected, please advise;

admin.dll %systemdrive%
admin.dll %systemdrive%\inetpub\scripts
admin.dll %systemdrive%\inetpub\wwwroot
admin.dll %systemdrive%\program files\common files\system\msadc
admin.dll %windir%
admin.dll %windir%\system
admin.dll %windir%\system32

readme.eml %systemdrive%
readme.eml %systemdrive%\inetpub\scripts
readme.eml %systemdrive%\inetpub\wwwroot
readme.eml %systemdrive%\program files\common files\system\msadc
readme.eml %windir%
readme.eml %windir%\system
readme.eml %windir%\system32
readme.eml %windir%\system32\dllcache
readme.eml %windir%\system32\drivers
readme.eml %windir%\system32\inetsrv
readme.eml %windir%\system32\inetsrv\iisadmin

readme.exe %systemdrive%
readme.exe %systemdrive%\inetpub\scripts
readme.exe %systemdrive%\inetpub\wwwroot
readme.exe %systemdrive%\program files\common files\system\msadc
readme.exe %windir%
readme.exe %windir%\system
readme.exe %windir%\system32
readme.exe %windir%\system32\dllcache
readme.exe %windir%\system32\drivers
readme.exe %windir%\system32\inetsrv
readme.exe %windir%\system32\inetsrv\iisadmin

root.exe %systemdrive%
root.exe %systemdrive%\inetpub\scripts
root.exe %systemdrive%\inetpub\wwwroot
root.exe %systemdrive%\program files\common files\system\msadc
root.exe %windir%
root.exe %windir%\system
root.exe %windir%\system32
root.exe %windir%\system32\dllcache
root.exe %windir%\system32\drivers
root.exe %windir%\system32\inetsrv
root.exe %windir%\system32\inetsrv\iisadmin

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6sx6xBh2Kw/l7p5AQGfHwQAikAuYsIY2hN/6ehlV4CUyKDdHlXYXm0D
N+HLx0gfpRsGrHeBeHNspTq3OOm9KRrcTQKJJrOpSZ3HeBDqWvUo8egpuQDc2YZs
cbof57t6y9ZFuJPNmZRLedvGBhBLSuFs/1FGyEnJ555EmyvSfC99/XPcZGNpIpfC
RpynnmeyF30=
=+AnT
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]