Thanks
Chim meister
Anybody got the skinny on the nimda virus???
-
chimdogger
- Posts: 2785
- Joined: Fri Jan 26, 2001 12:00 pm
Anybody got the skinny on the nimda virus???
Looking for insider info. Patch links. Comments. etc etc etc...
Thanks
Chim meister
Thanks
Chim meister
Symantec has a patch for it now. You'll need to install their AV software however to run the fix. This is virus is very nasty, but you can get rid of it. Here's what ya do.
Write a file to the winnt/system folder (windows/system) named sample.eml. Then go to a command prompt change to the above directory and type (attrib +r sample.eml). Reboot.
What this does.... Basically the virus starts by writing a file to that directory named sample.eml, however, because the file already is present and read-only, the virus choaks in memory (GPF).
If you have the virus on your machine, after reboot. Bring up a command prompt and change to root (c:\). type this command (del *.eml /s). This will remove all of the eml files the virus created.
Once you have done all that you can install a scanner and update the virus defs. Run the scan (make sure you are scanning all files) and let it clean and remove all infected files and there will be a ton of them! Rinse and repeat until the scanner does not find any files.
Your not out of the woods yet. Make sure you have all your IIS/IE5.01 patches on the machine otherwise you will have to do this all over again if another machine on the inet passes it back to you.
A couple of things I didn't address up top.
1) Disable the guest account or at least remove it from the Admin's group
2) Fix the issue with the root of all drives shared to the world
3) Win9x users delete the following text from the Shell= entry in system.ini: load.exe -dontrunold
Hope this helps.
BTW, you can run the scanner with the machine infected (or at least with the virus in memory) however, I've had several engineers call me and say that the virus potentially will grab the main exe scanner file and modify it while the scan is taking place.
Write a file to the winnt/system folder (windows/system) named sample.eml. Then go to a command prompt change to the above directory and type (attrib +r sample.eml). Reboot.
What this does.... Basically the virus starts by writing a file to that directory named sample.eml, however, because the file already is present and read-only, the virus choaks in memory (GPF).
If you have the virus on your machine, after reboot. Bring up a command prompt and change to root (c:\). type this command (del *.eml /s). This will remove all of the eml files the virus created.
Once you have done all that you can install a scanner and update the virus defs. Run the scan (make sure you are scanning all files) and let it clean and remove all infected files and there will be a ton of them! Rinse and repeat until the scanner does not find any files.
Your not out of the woods yet. Make sure you have all your IIS/IE5.01 patches on the machine otherwise you will have to do this all over again if another machine on the inet passes it back to you.
A couple of things I didn't address up top.
1) Disable the guest account or at least remove it from the Admin's group
2) Fix the issue with the root of all drives shared to the world
3) Win9x users delete the following text from the Shell= entry in system.ini: load.exe -dontrunold
Hope this helps.
BTW, you can run the scanner with the machine infected (or at least with the virus in memory) however, I've had several engineers call me and say that the virus potentially will grab the main exe scanner file and modify it while the scan is taking place.
-
Ghosthunter
- SG VIP
- Posts: 18183
- Joined: Tue Mar 06, 2001 12:00 pm
-
Ghosthunter
- SG VIP
- Posts: 18183
- Joined: Tue Mar 06, 2001 12:00 pm
Here's a bit of skinny and a suggestion
You can get it just by reading or previewing email to which the infected file is attached. You DON'T have to open the attachment to be infected. A very good idea is to go to Tools/Options/Security in Outlook and make sure it uses the Restricted Zone. Then lock up the Restricted zone like a brick shi... like a vault. This will reduce the risk of infection via Outlook.
This is a nasty worm, and not only for folks with IIS web servers this time. Make sure your antivirus has an update for nimda, and use it.
This is a nasty worm, and not only for folks with IIS web servers this time. Make sure your antivirus has an update for nimda, and use it.
-
chimdogger
- Posts: 2785
- Joined: Fri Jan 26, 2001 12:00 pm
this is what i can gather from micro$oft
if you have ie6 and have updated all the security patches for code red II you should be all set. As well as updating you virus protection blah blah blah...
By the way does anybody know if AVG has included nimda in their virus dat files???
Thanks Chimmy
By the way does anybody know if AVG has included nimda in their virus dat files???
Thanks Chimmy
AVG has an update just d/l it thanks to a heads up from Norm yesterday.
They told (us) to open up the Embassy, or "we'll blow you away." And then they looked up and saw the Marines on the roof with these really big guns, and they said in Somali, "Igaralli ahow," which means "Excuse me, I didn't mean it, my mistake".
Karen Aquilar, in the U.S. Embassy; Mogadishu, Somalia, 1991
Karen Aquilar, in the U.S. Embassy; Mogadishu, Somalia, 1991
Here is some info. on the "Nimda" Worm
http://www.microsoft.com/technet/treevi ... /Nimda.asp
check here also
http://www.microsoft.com/technet/mpsa/start.asp
http://www.microsoft.com/technet/treevi ... /Nimda.asp
check here also
http://www.microsoft.com/technet/mpsa/start.asp