James-
What server are you running -- NT4 or W2K?
I'm curious because I have heard others who have been hit that had infected
OS files, and others, such as myself, who did not have any OS file effected.
The worm simply deposited tons of reame.eml files, admin.dll and mmc.exe,
and modified the last line of .htm, .html, and .asp files. All of this was
readily repairable.
Our server *appears* to be working fine now.
After you stopped further infection, did you get rid of the virus itself
(admin.dll, mmc.exe and readme.exe)? Then did you re-apply your service
pack? The reapplication of your service pack should place a new asp.dll and
explorer.exe onto the disk to correct damage to those files. Or is it that
you can't even run the service pack?
The repairs to the .htm files is easy to correct. Either pull them off of
Monday night's tape, or scan the contents of the files using Ultraedit or
John Cesta's free util to pull out the javascript code used to send the worm
to a browser client. Took me all of 5 minutes to do this for 800 .htm and
.asp files.
Good luck.
--
Scot
----- Original Message -----
From: "James Cousineau" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 12:19 PM
Subject: RE: [imail] Nimda Virus
>
> I cannot fully agree. We have always kept up with patches supplied by MS.
> The only one that was not applied in time was the last patch issued on the
> fateful day of Sept. 11. Patches were downloaded but not installed for
> various reasons - what happened on that day that affected all of the free
> world, and personal medical problems (hospitalization). We had installed
> all patches before that, and many have said that if anybody had patched
for
> Code Red then you would be OK - we were hit! 3143 infected files, able to
> delete 940 files, repair 1752 files, but are left with over 500 files that
> no one knows how to fix as of this date and time, a damaged Explorer.exe
and
> asp.dll - our websites run on ASP files. Approx. 50 web sites that
require
> repairs to .asp, .html, and .htm files.
>
> I got our IMail server back up and running, although 1 file is still
> infected that cannot be repaired. But it does not seem to be affecting
> much. Much work lies ahead to fully repair our servers - if they can be.
>
> Overburdened IT staff, in most companies, cannot keep up with all that
needs
> done. Patches, such as this, are just added to the list of "things to
do".
>
> Solutions? More expense, hardware firewalls, stronger and more costly
> anti-virus software installed, additional IT staff to keep up with
patches,
> updates, and ..... the list goes on. It is indeed the greatest IT
challenge
> ever faced. Companies of any consequence now require a full-time IT
> security employee with authority to utilize an "immediate expense"
budget -
> with today's cyber attacks there is no time for a meeting to discuss what
> has to be spent and why.
>
> This is the first time I have ever been caught by any virus or worm
> (business or personal) - and I've been around for a long time. You feel
> defeated and embarrassed that it could have happened to you.
>
> James Cousineau
> VP Marketing and IT Management
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Barrie - Canada 705.722.3674
> "Home is where I hang my @"
> --------------------------------------------------------
> CareerTek.org Inc. www.careertek.org <http://www.careertek.org>
> 170 Attwell Dr., Suite 640
> Toronto, ON Canada M9W 5Z5
> Toll Free 866.679.8688
> Tel: 416.679.8688 Fax: 416.679.8684
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Slade
> Sent: Wednesday, September 19, 2001 10:28 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
>
> The issue that allows the exploit was addressed by Microsoft in October
> of 2000. If people would keep up on hot fixes, critical updates, and
> service packs, people wouldn't would minimize the issues caused these
> Trojans that use back doors in Windows that have already been fixed.
>
> To ENSURE that you have ALL of the hot fixes for your system installed
> and applied, please visit the following URL and run the scanner. This
> will work for Windows NT 4, 2000 Pro, Server, and Advanced Server.
>
> http://www.microsoft.com/technet/mpsa/start.asp
>
> Run the scanner and it will tell you what hotfixes you're missing.
>
> Sincerely... Slade @ Here, Inc.
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
