RE: MSIIS servers patched/de-doored, but C and D keep coming back

["Garreth Jeremiah/Markham/IBM" <gjeremia () ca ibm com>]

Thankyou to all who replied.  I am recommending that the device be re-built
- even before posting.  Just needed to see if there was anything special
going on.

Well here is what I mean - we moved an (apparently) uninfected device into
an isolated lan and infected it there.  System was cleaned, including all
back doors and reg. code.  However it appears that the /d and /d affects of
virtual rooting the IIS server remain persistent across boots - even though
we cleaned them.  I am suggestng to the team that the re-image the machein,
however I found this very weird.  Of all devices tested so far there are
approx 6 that have this occur ( mostly French Version of Win2k - not sure
if we have an english version that is affected this way ( yes it was
patched withthe french patch )).

Possible Causes: - decreasing liklihood

1)   Another worm/virus
2)   Weird interaction between HW/SW and patch ( plus any 3rd party sware )
3)   previously unseen sideffect of CRII
4)   CRx

Possible Resolution:

1)   Check all of those damn "Run/RunOnce/RunExec" registry settings
2)   Down the machine - reboot with NTFS capable boot disk - replace
system.dat(/da0) and user.dat etc.
3)   stop messing around and grab the backup CD. - R.E.L.O.A.D

It will be interesting to see if anyone else experiences this problem
though.

______________________________
Garreth J Jeremiah.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com