[TriLUG] Battleing new IIS worm - appreciate ANY help!

[Jon Carnes]

We run both apache and IIS, and last week I talked the web team into moving
over to Apache - alas, that has not occurred yet.

We *think* we have it under control.  A scan of the affected systems,
looking for any file changed or added as of this morning revealed much.  We
did the following (and seem to have it under control):
 - renamed Admin.dll on the C: drive to admin_dll.old
 - deleted all exe created this morning on drive C:
    mmc.exe would not let us delete it, so we booted to a dos disk and zap
it.
 - edited the etc/services file replacing "69/tftp" with "0/tftp"
   (it seems to use tftp to try and spread).

The nasty little bugger even downloaded its own java, etc...  Man, anyone
talented enough to put this together, should be automating software installs
for companies like Akaimi (or sumptin!).

And yes, I did give a few digs to our IIS supporters...

Jon
----- Original Message -----
From: <jeremyp at pobox.com>
To: "Triangle Linux Users Group" <trilug at trilug.org>
Sent: Tuesday, September 18, 2001 1:02 PM
Subject: Re: [TriLUG] Battleing new IIS worm - appreciate ANY help!


>
> NTBugTraq says to immediately disconnect any infected IIS boxen, as
> they're just learning the scope, and don't yet know how to disinfect.
>
> Apparently it tries to spread via Windows shares, sends email to infect OE
> users, attacks other servers code-red style, and modifies web pages with
> the OE exploit as well.  Nasty thing, and it started at the one-week
> anniversery of the bombings. See NTBugTraq archives for more info, plus
> there's stuff on Symantec's web site.
>
> I haven't had any huge network problems from it; Apache of course just
> 404s everything, so the worst problem is filling up logs.  But I know you
> have a big server farm -- is the added traffic your big problem?
>
> --Jeremy
>
> On Tue, 18 Sep 2001, Jon Carnes wrote:
>
> > Yah its off topic...
> >
> > Jon
> >