Thanks Scot,
Confirming my diagnosis - never hurts, as you always doubt your own
knowledge base in something so critical. Personally I use W2K Server as my
OS in my office and we will be rebuilding our IIS/SQL Servers and upgrading
to W2K Server, SQL7, and hardware firewall soon. Glad to get rid of the
dinosaur NT4!
Will delete the files, reinstall SP6a, and reboot.
Thanks for the help and support!
JC
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Scot Desort
Sent: Wednesday, September 19, 2001 1:39 PM
To: [EMAIL PROTECTED]
Subject: Re: [imail] Nimda Virus
James-
First - please note that we had it hit a Win2K server.
The mmc.exe file we had in our winnt directory was the worm. The correct
location for the Microsoft version of that file is winnt/system32. We
deleted the file in our winnt directory without any problem. The size was
57K.
Admin.dll - I just checked a clean NT4/SP6a server I have and I do NOT have
admin.dll in my MSADC directory. Looks like it's probably OK to delete from
there. I do not believe it is a modified file - it is a new file placed
there by the worm because that directory is often improperly set to Everyone
full control or everyone RWX. An NT/Win2k server with Frontpage extensions
will have valid admin.dll files installed - the admin.dll file(s) I have are
small -- about 15K. The admin.dll that is the worm will be the same size as
the mmc.exe file -- 57K.
We deleted the files we thought were bad, then without rebooting, we
re-applied SP2, then rebooted. This way, if we wiped the wrong file, SP
would most likely re-install it anyway. And in Win2K, you have that WFP
which sort of prevents you from deleted a protected windows file anyway. No
such beast in NT4.
As always, make sure you're monday backup is good.
--
Scot
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
