Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: J.R. Lewis (jrcomprecorp.com)
Date: Tue Sep 18 2001 - 17:09:14 CDT
First time poster, but I have information that might be useful to most.
I have encountered an infected machine, it looks to be the new worm nimda.A
and these are my observations. NT4
A vulnerable server gets infected, a copy of admin.dll gets added to
c:\program files\common files\system\msadc
In this case mmc.exe gets placed into the C:\winnt dir. (Note: the actual
mmc.exe belongs in c:\winnt\system32, this is a completely different file
used to propagate the worm) This file is run as process mmc.exe three
times, and launches around 700 threads seeking vulnerable servers. On this
server Exchange is installed, and almost every directory has the readme.eml,
as well as almost ALL the .htm files on the server have been appended with
javacode to open the readme.eml file on machines browsing the servers pages.
Select .ASP files are also appended with this java code. (brackets have
been changed, just in case outlook gets any ideas)
Guest account was enabled on this machine also. After installing the IIS
patch from 8-15, the worm still spreads itself, recreating the mmc.exe when
removed, and after the processes have been killed. There are also other
.eml files scattered about that are just copies of the readme.eml. as well
as .nws files. Also strange mep*.tmp files in the winnt dir.
Hope this helps some people.