James-
First - please note that we had it hit a Win2K server.
The mmc.exe file we had in our winnt directory was the worm. The correct
location for the Microsoft version of that file is winnt/system32. We
deleted the file in our winnt directory without any problem. The size was
57K.
Admin.dll - I just checked a clean NT4/SP6a server I have and I do NOT have
admin.dll in my MSADC directory. Looks like it's probably OK to delete from
there. I do not believe it is a modified file - it is a new file placed
there by the worm because that directory is often improperly set to Everyone
full control or everyone RWX. An NT/Win2k server with Frontpage extensions
will have valid admin.dll files installed - the admin.dll file(s) I have are
small -- about 15K. The admin.dll that is the worm will be the same size as
the mmc.exe file -- 57K.
We deleted the files we thought were bad, then without rebooting, we
re-applied SP2, then rebooted. This way, if we wiped the wrong file, SP
would most likely re-install it anyway. And in Win2K, you have that WFP
which sort of prevents you from deleted a protected windows file anyway. No
such beast in NT4.
As always, make sure you're monday backup is good.
--
Scot
----- Original Message -----
From: "James Cousineau" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 1:24 PM
Subject: RE: [imail] Nimda Virus
> More questions - maybe you can help Scot, or maybe someone else on the
list.
>
> We are back up and running! The SP6a reinstall did the trick at fixing
our
> asp.dll and explorer.exe
>
> We are correcting all our web files, but are faced with trying to delete
two
> (2) critical infected files.
>
> Admin.dll - we have a few of these on our system, and I am sure of the one
> to delete but would like some reassurance of our choice. We have
Admin.dll,
> modified dated yesterday (date of infection), located in Program
> Files/Common Files/System/msadc.
> Can this be safely deleted? Norton will not allow deletion, but we can
> disable Norton first. Is this a proper system file that has been modified
> by NIMDA, or installed by NIMDA and can be safely deleted?
>
> We also have 2 mmc.exe files. One located in the WINNT directory (small
57k
> file - dated yesterday infection date) and one located (as I think it
> belongs) in the WINNT/SYSTEM32 folder.
>
> If we do delete and then reinstall the SP6a again, will this correct our
> error of deletion if wrong choice is made?
>
> Typical for MS to state "simply reinstall your NT OS" but that is time
> consuming, expensive for us (as the servers are in a New Jersey server
farm
> and we are in Toronto Canada), will take days to complete due to reinstall
> of so much else, and possibly not necessary.
>
> Any comments appreciated.
>
> James Cousineau
> [EMAIL PROTECTED]
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> James Cousineau
> Sent: Wednesday, September 19, 2001 12:47 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
>
> Scot,
>
> NT4, SP6
>
> I had an .eml file in every single folder on the server. These files were
> not all readme.eml We had readme.eml, birthday.eml, christmas tree.eml,
> adobepdf.eml, setup.eml, and many more .... This made it hard to confirm
> deletion.
>
> We deleted the destructive root.exe, the offending Admin.dll, and mmc.exe
>
> We are fixing the .asp, .html, .htm files as we speak - as you say -
easiest
> part.
>
> I am about to run the SP6 again to see if that corrects our problems ...
> will update later.
>
> JC
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Scot Desort
> Sent: Wednesday, September 19, 2001 12:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [imail] Nimda Virus
>
>
> James-
>
> What server are you running -- NT4 or W2K?
>
> I'm curious because I have heard others who have been hit that had
infected
> OS files, and others, such as myself, who did not have any OS file
effected.
> The worm simply deposited tons of reame.eml files, admin.dll and mmc.exe,
> and modified the last line of .htm, .html, and .asp files. All of this was
> readily repairable.
>
> Our server *appears* to be working fine now.
>
> After you stopped further infection, did you get rid of the virus itself
> (admin.dll, mmc.exe and readme.exe)? Then did you re-apply your service
> pack? The reapplication of your service pack should place a new asp.dll
and
> explorer.exe onto the disk to correct damage to those files. Or is it that
> you can't even run the service pack?
>
> The repairs to the .htm files is easy to correct. Either pull them off of
> Monday night's tape, or scan the contents of the files using Ultraedit or
> John Cesta's free util to pull out the javascript code used to send the
worm
> to a browser client. Took me all of 5 minutes to do this for 800 .htm and
> .asp files.
>
> Good luck.
>
> --
> Scot
>
>
>
> ----- Original Message -----
> From: "James Cousineau" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 19, 2001 12:19 PM
> Subject: RE: [imail] Nimda Virus
>
>
> >
> > I cannot fully agree. We have always kept up with patches supplied by
MS.
> > The only one that was not applied in time was the last patch issued on
the
> > fateful day of Sept. 11. Patches were downloaded but not installed for
> > various reasons - what happened on that day that affected all of the
free
> > world, and personal medical problems (hospitalization). We had
installed
> > all patches before that, and many have said that if anybody had patched
> for
> > Code Red then you would be OK - we were hit! 3143 infected files, able
to
> > delete 940 files, repair 1752 files, but are left with over 500 files
that
> > no one knows how to fix as of this date and time, a damaged Explorer.exe
> and
> > asp.dll - our websites run on ASP files. Approx. 50 web sites that
> require
> > repairs to .asp, .html, and .htm files.
> >
> > I got our IMail server back up and running, although 1 file is still
> > infected that cannot be repaired. But it does not seem to be affecting
> > much. Much work lies ahead to fully repair our servers - if they can
be.
> >
> > Overburdened IT staff, in most companies, cannot keep up with all that
> needs
> > done. Patches, such as this, are just added to the list of "things to
> do".
> >
> > Solutions? More expense, hardware firewalls, stronger and more costly
> > anti-virus software installed, additional IT staff to keep up with
> patches,
> > updates, and ..... the list goes on. It is indeed the greatest IT
> challenge
> > ever faced. Companies of any consequence now require a full-time IT
> > security employee with authority to utilize an "immediate expense"
> budget -
> > with today's cyber attacks there is no time for a meeting to discuss
what
> > has to be spent and why.
> >
> > This is the first time I have ever been caught by any virus or worm
> > (business or personal) - and I've been around for a long time. You feel
> > defeated and embarrassed that it could have happened to you.
> >
> > James Cousineau
> > VP Marketing and IT Management
> > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> > Barrie - Canada 705.722.3674
> > "Home is where I hang my @"
> > --------------------------------------------------------
> > CareerTek.org Inc. www.careertek.org <http://www.careertek.org>
> > 170 Attwell Dr., Suite 640
> > Toronto, ON Canada M9W 5Z5
> > Toll Free 866.679.8688
> > Tel: 416.679.8688 Fax: 416.679.8684
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Slade
> > Sent: Wednesday, September 19, 2001 10:28 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [imail] Nimda Virus
> >
> >
> > The issue that allows the exploit was addressed by Microsoft in October
> > of 2000. If people would keep up on hot fixes, critical updates, and
> > service packs, people wouldn't would minimize the issues caused these
> > Trojans that use back doors in Windows that have already been fixed.
> >
> > To ENSURE that you have ALL of the hot fixes for your system installed
> > and applied, please visit the following URL and run the scanner. This
> > will work for Windows NT 4, 2000 Pro, Server, and Advanced Server.
> >
> > http://www.microsoft.com/technet/mpsa/start.asp
> >
> > Run the scanner and it will tell you what hotfixes you're missing.
> >
> > Sincerely... Slade @ Here, Inc.
> >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
