More questions - maybe you can help Scot, or maybe someone else on the list.
We are back up and running! The SP6a reinstall did the trick at fixing our
asp.dll and explorer.exe
We are correcting all our web files, but are faced with trying to delete two
(2) critical infected files.
Admin.dll - we have a few of these on our system, and I am sure of the one
to delete but would like some reassurance of our choice. We have Admin.dll,
modified dated yesterday (date of infection), located in Program
Files/Common Files/System/msadc.
Can this be safely deleted? Norton will not allow deletion, but we can
disable Norton first. Is this a proper system file that has been modified
by NIMDA, or installed by NIMDA and can be safely deleted?
We also have 2 mmc.exe files. One located in the WINNT directory (small 57k
file - dated yesterday infection date) and one located (as I think it
belongs) in the WINNT/SYSTEM32 folder.
If we do delete and then reinstall the SP6a again, will this correct our
error of deletion if wrong choice is made?
Typical for MS to state "simply reinstall your NT OS" but that is time
consuming, expensive for us (as the servers are in a New Jersey server farm
and we are in Toronto Canada), will take days to complete due to reinstall
of so much else, and possibly not necessary.
Any comments appreciated.
James Cousineau
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
James Cousineau
Sent: Wednesday, September 19, 2001 12:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [imail] Nimda Virus
Scot,
NT4, SP6
I had an .eml file in every single folder on the server. These files were
not all readme.eml We had readme.eml, birthday.eml, christmas tree.eml,
adobepdf.eml, setup.eml, and many more .... This made it hard to confirm
deletion.
We deleted the destructive root.exe, the offending Admin.dll, and mmc.exe
We are fixing the .asp, .html, .htm files as we speak - as you say - easiest
part.
I am about to run the SP6 again to see if that corrects our problems ...
will update later.
JC
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Scot Desort
Sent: Wednesday, September 19, 2001 12:38 PM
To: [EMAIL PROTECTED]
Subject: Re: [imail] Nimda Virus
James-
What server are you running -- NT4 or W2K?
I'm curious because I have heard others who have been hit that had infected
OS files, and others, such as myself, who did not have any OS file effected.
The worm simply deposited tons of reame.eml files, admin.dll and mmc.exe,
and modified the last line of .htm, .html, and .asp files. All of this was
readily repairable.
Our server *appears* to be working fine now.
After you stopped further infection, did you get rid of the virus itself
(admin.dll, mmc.exe and readme.exe)? Then did you re-apply your service
pack? The reapplication of your service pack should place a new asp.dll and
explorer.exe onto the disk to correct damage to those files. Or is it that
you can't even run the service pack?
The repairs to the .htm files is easy to correct. Either pull them off of
Monday night's tape, or scan the contents of the files using Ultraedit or
John Cesta's free util to pull out the javascript code used to send the worm
to a browser client. Took me all of 5 minutes to do this for 800 .htm and
.asp files.
Good luck.
--
Scot
----- Original Message -----
From: "James Cousineau" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 12:19 PM
Subject: RE: [imail] Nimda Virus
>
> I cannot fully agree. We have always kept up with patches supplied by MS.
> The only one that was not applied in time was the last patch issued on the
> fateful day of Sept. 11. Patches were downloaded but not installed for
> various reasons - what happened on that day that affected all of the free
> world, and personal medical problems (hospitalization). We had installed
> all patches before that, and many have said that if anybody had patched
for
> Code Red then you would be OK - we were hit! 3143 infected files, able to
> delete 940 files, repair 1752 files, but are left with over 500 files that
> no one knows how to fix as of this date and time, a damaged Explorer.exe
and
> asp.dll - our websites run on ASP files. Approx. 50 web sites that
require
> repairs to .asp, .html, and .htm files.
>
> I got our IMail server back up and running, although 1 file is still
> infected that cannot be repaired. But it does not seem to be affecting
> much. Much work lies ahead to fully repair our servers - if they can be.
>
> Overburdened IT staff, in most companies, cannot keep up with all that
needs
> done. Patches, such as this, are just added to the list of "things to
do".
>
> Solutions? More expense, hardware firewalls, stronger and more costly
> anti-virus software installed, additional IT staff to keep up with
patches,
> updates, and ..... the list goes on. It is indeed the greatest IT
challenge
> ever faced. Companies of any consequence now require a full-time IT
> security employee with authority to utilize an "immediate expense"
budget -
> with today's cyber attacks there is no time for a meeting to discuss what
> has to be spent and why.
>
> This is the first time I have ever been caught by any virus or worm
> (business or personal) - and I've been around for a long time. You feel
> defeated and embarrassed that it could have happened to you.
>
> James Cousineau
> VP Marketing and IT Management
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Barrie - Canada 705.722.3674
> "Home is where I hang my @"
> --------------------------------------------------------
> CareerTek.org Inc. www.careertek.org <http://www.careertek.org>
> 170 Attwell Dr., Suite 640
> Toronto, ON Canada M9W 5Z5
> Toll Free 866.679.8688
> Tel: 416.679.8688 Fax: 416.679.8684
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Slade
> Sent: Wednesday, September 19, 2001 10:28 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
>
> The issue that allows the exploit was addressed by Microsoft in October
> of 2000. If people would keep up on hot fixes, critical updates, and
> service packs, people wouldn't would minimize the issues caused these
> Trojans that use back doors in Windows that have already been fixed.
>
> To ENSURE that you have ALL of the hot fixes for your system installed
> and applied, please visit the following URL and run the scanner. This
> will work for Windows NT 4, 2000 Pro, Server, and Advanced Server.
>
> http://www.microsoft.com/technet/mpsa/start.asp
>
> Run the scanner and it will tell you what hotfixes you're missing.
>
> Sincerely... Slade @ Here, Inc.
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
