Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1295 |
Message | NETBIOS nimda RICHED20.DLL |
Summary | This event is generated when traffic containing the RICHED20.DLL file is detected. This may indicate Nimda worm activity. |
Impact | Possible infection by the Nimda virus. |
Detailed Information | Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit to attack unpatched systems. |
Affected Systems | Windows 95 Windows 98 Windows ME Windows 2000 |
Attack Scenarios | An unpatched server is connected to the internet and is infected or an infected email is opened. Once infected the worm spreads itself. |
Ease of Attack | Simple |
Corrective Action | Check the suspect host for signs of infection. Apply patches or upgrade the operating system |
Additional References | Microsoft: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp F-Secure: http://www.f-secure.com/v-descs/nimda.shtml Microsoft: http://msdn.microsoft.com/library/en-us/vclib/html/vclrfafxinitrichedit2.asp |
Rule References | url: www.f-secure.com/v-descs/nimda.shtml |
--
DID:142445
--
http://www.aanval.com/