[TriLUG] Battleing new IIS worm - appreciate ANY help!
Mike Johnson
mike at enoch.org
Tue Sep 18 14:27:25 EDT 2001
Jon Carnes [jonc at nc.rr.com] wrote:
> We run both apache and IIS, and last week I talked the web team into moving
> over to Apache - alas, that has not occurred yet.
>
> We *think* we have it under control. A scan of the affected systems,
> looking for any file changed or added as of this morning revealed much. We
> did the following (and seem to have it under control):
> - renamed Admin.dll on the C: drive to admin_dll.old
> - deleted all exe created this morning on drive C:
> mmc.exe would not let us delete it, so we booted to a dos disk and zap
> it.
> - edited the etc/services file replacing "69/tftp" with "0/tftp"
> (it seems to use tftp to try and spread).
Keep in mind that it's also an e-mail virus. If one of your users
receives and executes it, it starts spreading again. Also, if they
visit a compromised website, that website will attempt to download
and run the file.
Mike
--
Never trust a man who puts anything other than a finger up his nose. - _Snatch_
More information about the TriLUG
mailing list