Snort mailing list archives
Re: hmm...nimda RICHED20.DLL alarms
From: Rich Adamson <radamson () routers com>
Date: Tue, 22 Jan 2002 05:10:40 -0600
i am getting some of these every day from work (seemingly when users are running Office
applications). It is the same set of machines every
day...always attacking the same destination server. scans of the server are picking up nothing
with any antivirus package i find, and the same is
true of the workstations.
Try one or more of these... 1. Check the PATH in use on a workstation. If you are sharing a directory on your server, verify the \windows\system directory appears in the PATH statement "before" any shared drives. Ensure only one copy of riched20.dll exists in the \windows\system directory on the workstations. 2. Regardless of which Anti-Virus software you're using, remove it from one workstation and replace it with another vendor's software to validate the virus detection is not hosed or mis-engineered. Run another full scan. 3. On one of the offending workstations, close all applications leaving only the desktop being displayed for a lengthy period of time. Did the alerts from this address disappear? (If so, one or more applications may be using a PATH that includes a shared drive.) 4. On one of the offending workstations, "find" all occurances of riched20.dll (should only be one in the \windows\system directory on Win95/98 machines. Delete all other occurances. Win2k and newer may have additional copies in dllcache and/or service pack directories. Verify version of each. Current control reports v3.0 in property Description, and v5.30.23.xxxx as File Version.) 5. Temporarily rename the remaining riched20.dll to riched20.dl_ (Office and other windows that would normally display text fields will no longer function until the dll is restored. If they do continue to function, there is another copy being found somewhere.) Watch carefully for the riched20.dll to be automatically restored (if it does, the machine is probably infected). If it does not, copy riched20.dll from a known clean workstation into the system directory. Check for alerts again. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- hmm...nimda RICHED20.DLL alarms fluid (Jan 21)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Guillaume (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Rich Adamson (Jan 22)
- <Possible follow-ups>
- Re: hmm...nimda RICHED20.DLL alarms Ryan Drogo (Jan 22)
- RE: Re: hmm...nimda RICHED20.DLL alarms Ronneil Camara (Jan 22)
- How to unsubscribe? Densin Roy. (Jan 24)
- Re: How to unsubscribe? Edwin Eefting (Jan 24)
- Re: How to unsubscribe? Densin Roy. (Jan 24)
- Re: How to unsubscribe? Matt Kettler (Jan 24)
- How to unsubscribe? Densin Roy. (Jan 24)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)