GEN:SID | 1:1295 |
Message | NETBIOS nimda RICHED20.DLL |
Summary | This event is generated when traffic containing the RICHED20.DLL file is detected. This may indicate Nimda worm activity.
|
Impact | Possible infection by the Nimda virus.
|
Detailed Information | Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit to attack unpatched systems.
|
Affected Systems | Windows 95 Windows 98 Windows ME Windows 2000
|
Attack Scenarios | An unpatched server is connected to the internet and is infected or an infected email is opened. Once infected the worm spreads itself.
|
Ease of Attack | Simple
|
Corrective Action | Check the suspect host for signs of infection. Apply patches or upgrade the operating system
|
Additional References | Microsoft: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp
F-Secure: http://www.f-secure.com/v-descs/nimda.shtml
Microsoft: http://msdn.microsoft.com/library/en-us/vclib/html/vclrfafxinitrichedit2.asp
|
Rule References | url: www.f-secure.com/v-descs/nimda.shtml
|