RE: New "concept" virus/worm?

[Tina Bird <tbird () precision-guesswork com>]

McAfee/NAI has a removal tool:

http://download.nai.com/products/mcafee-avert/nimda2.exe

On Tue, 18 Sep 2001, Christian Hampson wrote:

> Date: Tue, 18 Sep 2001 11:29:09 -0700
> From: Christian Hampson <champson () hampsonservices com>
> To: incidents () securityfocus com, focus-virus () securityfocus com
> Subject: RE: New "concept" virus/worm?
>
> Please forgive the cross-post.
>
> I am at a client site.  Win2k without SP2 is infected.  NT4 without IIS
> or an email client installed has not been affected.  Fortunately, that
> is the server containing payroll.
>
> If anyone has developed or heard of a removal tool, I would love to hear
> about it.
>
> So far, I have seen McAfee, Sophos, and F-Secure post definitions for
> this virus.
>
> Christian Hampson
> champson () hampsonservices com
>
> -----Original Message-----
> From: Dave Salovesh [mailto:salovesh () ramassociates com] 
> Sent: Tuesday, September 18, 2001 10:21
> To: 'Brett Glass'; Jay D. Dyson; Incidents List
> Cc: Vuln Dev
> Subject: RE: New "concept" virus/worm?
>
>
> It infects 98 (I've got it on the one 98 workstation we run) and may
> have been involved in infecting two of NT4 servers.
>
> I also have two UNinfected NT4 servers that are patched to about the
> same level as the infected ones - not quite completely patched, but I
> think I've selected all the appropriate ones for the role each server
> plays.
>
> My W2K server is patched up to the minute and didn't get infected.  So
> far...

LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com