RE: [CAD_CAM_EDM_DRO] virus warning

Far worse than you describe. We got hit yesterday and I was here at work
doing triage until midnight. It also can replace the riched20.dll (a
legitimate dll) with an infected copy so every thime it is call the
attack starts again. The worm also modifies .htm, .asp pages with a tag
that spreads the infection. Problem here is that may help files are not
html based and it infects them. On comprimised systems I see the
infection in the html pages called in help and mmc.

This is VERY bad. We have systems with over 2000 comprimised files.

Got to run to a meeting.

Tim
[Denver, CO]

> -----Original Message-----
> From: dlantz@... [mailto:dlantz@...]
> Sent: Wednesday, September 19, 2001 11:22 AM
> To: CAD_CAM_EDM_DRO@yahoogroups.com
> Subject: RE: [CAD_CAM_EDM_DRO] virus warning
>
>
> the 'readme' virus has affectevily taken out our local
> network... it seems to be spreading through microsoft network
> shares and IIS Web Directory Traversal Exploit... which
> appears to be something to do with internet explorer. so
> far, only one system on our site is down by it, but our
> internet access is down till further notice, and many many
> computers on the other end of the WAN are down... it's not
> really a virus, it's a worm... it does very little real
> damage to the machine, besides tying up resourses and bogging
> down email.. what is very dangerous about it is that is
> comprimises security!!!! (wow... quad exclamation points...
> serious here) anyhow, everyone might update there virus
> software and search there hard drives for the following:
> mep*
>
> now if you have a bunch of:
> mep3405.tmp.exe
> or anything like that:
> mepXXXX.tmp.exe
> or a file called load.exe of which you cannot delete
> email me here at dlantz@..., ive got the cure
> printed out
>
> -----Original Message-----
> From: elson@... [mailto:elson@...]
> Sent: Wednesday, September 19, 2001 10:09 AM
> To: CAD_CAM_EDM_DRO@yahoogroups.com
> Subject: Re: [CAD_CAM_EDM_DRO] virus warning
>
>
> carlcnc@... wrote:
>
> > I just got a lengthy email from my local ISP.[not earthlink] If
> > anyone wants to read the warning it should be "viewable" at
> > www.tscnet.com,or www.sinclair.com The head guys at this
> company were
> > doing internet before there was a web,they never cry "wolf"
> > I will not open any attatchments with title "readme." for a while!
>
> I could not find any virus information at either of these two
> sites. If you are going to post this kind of information,
> please include a more specific URL. I could spend 2 hours
> looking through these sites to find what you are referring to.
>
> Jon
>
>
> Addresses:
> FAQ: http://www.ktmarketing.com/faq.html
> FILES: http://groups.yahoo.com/group/CAD_CAM_EDM_DRO/files/
>
> Post messages: CAD_CAM_EDM_DRO@yahoogroups.com
> Subscribe: CAD_CAM_EDM_DRO-subscribe@yahoogroups.com
> Unsubscribe: CAD_CAM_EDM_DRO-unsubscribe@yahoogroups.com
> List owner: CAD_CAM_EDM_DRO-owner@yahoogroups.com, wanliker@...
> Moderator: jmelson@... timg@...
> [Moderator]
> URL to this page: http://groups.yahoo.com/group/CAD_CAM_EDM_DRO
> bill,
> List Manager
>
>
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
> Addresses:
> FAQ:
> http://www.ktmarketing.com/faq.html
> FILES: http://groups.yahoo.com/group/CAD_CAM_EDM_DRO/files/
>
> Post messages: CAD_CAM_EDM_DRO@yahoogroups.com
> Subscribe: CAD_CAM_EDM_DRO-subscribe@yahoogroups.com
> Unsubscribe: CAD_CAM_EDM_DRO-unsubscribe@yahoogroups.com
> List owner: CAD_CAM_EDM_DRO-owner@yahoogroups.com, wanliker@...
> Moderator: jmelson@... timg@...
> [Moderator]
> URL to this page: http://groups.yahoo.com/group/CAD_CAM_EDM_DRO
> bill,
> List Manager
>
>
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>