NIMDA Removal

[Isherwood Jeff C Contr AFRL/IFOSS <Jeffrey.Isherwood () rl af mil>]

Good Afternoon,
 
        I know there's a lot going on everywhere, and you might already have
something like this (I know most AV Vendors have them, but they are all a
bit different.)  AV Sites around the world are coming out with tools to fix
and remove it. I dislike those tools, because they require that you
completely trust the AV Vendor caught everything.  I sat down and went over
everything this one does, based on live samples we caught and tested, as
well as data from the various mailing lists, and a few contributions from
other sources. I hope I've got it all down now.

          We set this one off over a dozen times in a controlled
environment.  Since the infections began only a few copies of NIMDA have
ACTUALLY been set off here, they were set off and contained in under 5
minutes.  Those infections were early in the day Tuesday, before our
defenses and administrators were fully brought to bear, before our users
were properly alerted.

          These instructions have been tested against infected systems and
appear to be pretty complete.  There are aspects of this virus that DO NOT
HAPPEN on every machine, it's a bit fluky, sometimes crashing before it
finishes it's intrusion, sometimes not.  Unix systems are my thing, not
windows, but I think I got everything.

        I hope that they can be of some help.
 
- Jeffrey Isherwood...

  _____  

Jeffrey.Isherwood () rl af mil - Senior Security Engineer-UNIX Sys AFRL\IFOSS
Security Awareness Training and Education (SATE) MANAGER
Comm:(315) 330-7246 DSN: 587-7246 
You lock up your Car and your House...
       Why not your workstation...?

Attachment: NIMDA Removal.doc
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com