[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Re: IIS Worm
- To: <ukha_d@xxxxxxx>
- Subject: RE: Re: IIS Worm
- From: "Mark Hetherington \(egroups\)" <mark.egroups@xxxxxxx>
- Date: Wed, 19 Sep 2001 22:01:19 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
Hmm... this might be promising:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Share\Secu
rity
When this key is altered, shares have no security.... definitely worth
investigating.
More trivia about the Worm:
Known files the worm uses: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE,
RICHED20.DLL, MEP????.TMP.EXE all used to house the worm. MEP*.TMP.EXE seem
to be files in the process of infection and will be deleted at next boot up
by a line NUL=C:\WINDOWS\TEMP\MEP????.TMP.exe where ???? is variable it
seems to be of format 99A9.
ADMIN.DLL is a valid filename for FP Server Extensions. The Worm puts a
"fake" one one in the root of all local drives.
MMC.EXE is the IIS Management Console.
RICHED20.DLL is used by applications supporting Rich Text so apps such as
WordPad and MS Word will load it.
As a last resort, I would be tempted to completely remove these files and
fixup afterwards from the original disks.
Mark.
> -----Original Message-----
> From: Mark Hetherington (egroups)
> [mailto:mark.egroups@xxxxxxx]
> Sent: 19 September 2001 21:51
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> Ensure that Explorer is set to display all files and not hide
extensions.
> The virus attempts to hide by hiding various file types.
>
> Assuming you have AV software installed and are happy with it's
integrity,
> scan and repair *all* files. Leave no file untouched by the
> scanner. Reboot.
> Repeat this until the scanner comes back clean. It may take a
> number of scan
> reboot sequences to clean the system completely. This is quite a
tenacious
> virus.
>
> At this point, check system.ini again and ensure the Shell = explorer
line
> has not been compromised during the system clean with the
> load.exe -dontrunold addition.
>
> Only now should you try removing shares since until this point,
> they will be
> merely restored after reboot.
>
> If you continue to have problems with shares after you are sure the
system
> is clean, check the following registry keys:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$-Z$]
>
> This is where the worm installs it's shares.
>
> Shout up if nothing there is any help and I will investigate
> further. Trying
> to "damage" a machine here without actually infecting to
reproduce some of
> the problems you are having so might have some more ideas soon,
> otherwise I
> might have to infect it and watch what it does to the system in more
depth
> :)
>
> Mark.
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Home |
Main Index |
Thread Index
|