Looking for insider info. Patch links. Comments. etc etc etc...

Thanks

Chim meister:rolleyes:

Well I just saw an article about in and its again attacking webservers on port 80. Its also being sent in e-mails. I dont know of any patches yet.

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Thanks blebs. :)

Symantec has a patch for it now. You'll need to install their AV software however to run the fix. This is virus is very nasty, but you can get rid of it. Here's what ya do.

Write a file to the winnt/system folder (windows/system) named sample.eml. Then go to a command prompt change to the above directory and type (attrib +r sample.eml). Reboot.

What this does.... Basically the virus starts by writing a file to that directory named sample.eml, however, because the file already is present and read-only, the virus choaks in memory (GPF).

If you have the virus on your machine, after reboot. Bring up a command prompt and change to root (c:\). type this command (del *.eml /s). This will remove all of the eml files the virus created.

Once you have done all that you can install a scanner and update the virus defs. Run the scan (make sure you are scanning all files) and let it clean and remove all infected files and there will be a ton of them! Rinse and repeat until the scanner does not find any files.

Your not out of the woods yet. Make sure you have all your IIS/IE5.01 patches on the machine otherwise you will have to do this all over again if another machine on the inet passes it back to you. :)

A couple of things I didn't address up top.

1) Disable the guest account or at least remove it from the Admin's group

2) Fix the issue with the root of all drives shared to the world

3) Win9x users delete the following text from the Shell= entry in system.ini: load.exe -dontrunold

Hope this helps.


BTW, you can run the scanner with the machine infected (or at least with the virus in memory) however, I've had several engineers call me and say that the virus potentially will grab the main exe scanner file and modify it while the scan is taking place.

Does anyone know if these EML files can just be deleted? Were they real files that got converted to EML? I have a server here at worj with 10,000 EML Files, I dont know what to do? I am hoping they are just junk and I can delete them.

Thanks

Ok forgot my last post I jsut reread your post where to del all the eml files...sorry and thanks

You can get it just by reading or previewing email to which the infected file is attached. You DON'T have to open the attachment to be infected. A very good idea is to go to Tools/Options/Security in Outlook and make sure it uses the Restricted Zone. Then lock up the Restricted zone like a brick shi... like a vault. This will reduce the risk of infection via Outlook.

This is a nasty worm, and not only for folks with IIS web servers this time. Make sure your antivirus has an update for nimda, and use it.

if you have ie6 and have updated all the security patches for code red II you should be all set. As well as updating you virus protection blah blah blah...

By the way does anybody know if AVG has included nimda in their virus dat files???

Thanks Chimmy:p

AVG has an update just d/l it thanks to a heads up from Norm yesterday.

Here is some info. on the "Nimda" Worm


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp

check here also

http://www.microsoft.com/technet/mpsa/start.asp