Security Incidents mailing list archives

Re: NIMDA Removal

From: Johannes Verelst <johannes () verelst net>
Date: Wed, 19 Sep 2001 19:04:42 +0200 (MEST)

On Wed, 19 Sep 2001, Isherwood Jeff C Contr AFRL/IFOSS wrote:

Now that everyone has had a chance to look at it (I'm sure many folks
captured live copies of this bugger).


You say the following in your advisory:

Search for file types above containing readme.eml, but pay close
attention to the following default file names:
                index.html
                index.htm
...

On our systems (web development machines with hundreds of HTML/ASP pages)
all the files were infected, so EDIT ALL YOUR ASP/HTML FILES!!!!!

Yes, I must stress this once again:

EDIT ALL YOUR ASP/HTML FILES!!!!!

You can use the MicroSoft 'find' function to find all files that have the
string 'readme.eml' in them to find all infected HTML/ASP files.

Kind regards,

Johannes Verelst
-- 
Unix is simple. It just takes a genius to understand its simplicity


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

NIMDA Removal Isherwood Jeff C Contr AFRL/IFOSS (Sep 19)
- Re: NIMDA Removal Johannes Verelst (Sep 19)
- <Possible follow-ups>
- NIMDA Removal Isherwood Jeff C Contr AFRL/IFOSS (Sep 20)