[Snort-users] hmm...nimda RICHED20.DLL alarms

Rich Adamson radamson at ...2127...
Tue Jan 22 03:56:05 EST 2002

> i am getting some of these every day from work (seemingly when users are running Office 
applications). It is the same set of machines every
> day...always attacking the same destination server. scans of the server are picking up nothing 
with any antivirus package i find, and the same is
> true of the workstations.

Try one or more of these...

1. Check the PATH in use on a workstation. If you are sharing a
directory on your server, verify the \windows\system directory
appears in the PATH statement "before" any shared drives. Ensure
only one copy of riched20.dll exists in the \windows\system directory
on the workstations.

2. Regardless of which Anti-Virus software you're using, remove it
from one workstation and replace it with another vendor's software
to validate the virus detection is not hosed or mis-engineered.
Run another full scan.

3. On one of the offending workstations, close all applications
leaving only the desktop being displayed for a lengthy period of
time. Did the alerts from this address disappear? (If so, one or
more applications may be using a PATH that includes a shared

4. On one of the offending workstations, "find" all occurances of
riched20.dll (should only be one in the \windows\system directory
on Win95/98 machines. Delete all other occurances. Win2k and newer 
may have additional copies in dllcache and/or service pack directories.
Verify version of each. Current control reports v3.0 in property
Description, and v5.30.23.xxxx as File Version.) 

5. Temporarily rename the remaining riched20.dll to riched20.dl_
(Office and other windows that would normally display text fields
will no longer function until the dll is restored. If they do
continue to function, there is another copy being found somewhere.)
Watch carefully for the riched20.dll to be automatically restored 
(if it does, the machine is probably infected). If it does not,
copy riched20.dll from a known clean workstation into the system
directory. Check for alerts again.

More information about the Snort-users mailing list