[TriLUG] Battleing new IIS worm - appreciate ANY help!

Mike Johnson mike at enoch.org
Tue Sep 18 14:27:25 EDT 2001


Jon Carnes [jonc at nc.rr.com] wrote:
> We run both apache and IIS, and last week I talked the web team into moving
> over to Apache - alas, that has not occurred yet.
> 
> We *think* we have it under control.  A scan of the affected systems,
> looking for any file changed or added as of this morning revealed much.  We
> did the following (and seem to have it under control):
>  - renamed Admin.dll on the C: drive to admin_dll.old
>  - deleted all exe created this morning on drive C:
>     mmc.exe would not let us delete it, so we booted to a dos disk and zap
> it.
>  - edited the etc/services file replacing "69/tftp" with "0/tftp"
>    (it seems to use tftp to try and spread).

Keep in mind that it's also an e-mail virus.  If one of your users
receives and executes it, it starts spreading again.  Also, if they
visit a compromised website, that website will attempt to download
and run the file.

Mike
-- 
Never trust a man who puts anything other than a finger up his nose. - _Snatch_



More information about the TriLUG mailing list