Re: [imail] Nimda Virus

Neil H. Wed, 19 Sep 2001 16:43:18 -0700
Maybe I am dumb but I ran the setup now what?!

Neil

----- Original Message -----
From: "David Rolling" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 7:58 PM
Subject: RE: [imail] Nimda Virus


> No I don't disagree it works.. but you can see how much a time and energy
a
> day will make if you don't follow some of the security lists.. they have
> saved me countless times even though I go to MS's site for updates
daily...
>
> David Rolling
> www.infovue.net
> President
> 877-722-2162
> ========================================================
> On the Plains of Hesitation, Bleach the Bones of Countless
> Millions Who,
> at the Dawn of Victory, Sat Down to Wait and Waiting Died
> =========================================================
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> ACarroll
> Sent: Wednesday, September 19, 2001 7:47 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
>
> David,
>
> I guess you don't disagree that it works and would have solved the
> problem? Also if Microsoft would have made this a standard with IIS
> years ago then none of these Viruses would have been a problem! So, my
> dll shows that it was released 9/11/2001 at 4 pm. And I only found out
> about it today. I guess it doesn't matter about weeks.
>
> Andrew
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> David Rolling
> Sent: Wednesday, September 19, 2001 7:21 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
> well your wrong there.. MS released this almost 3 weeks ago..
>
> David Rolling
> www.infovue.net
> President
> 877-722-2162
> ========================================================
> On the Plains of Hesitation, Bleach the Bones of Countless
> Millions Who,
> at the Dawn of Victory, Sat Down to Wait and Waiting Died
> =========================================================
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> ACarroll
> Sent: Wednesday, September 19, 2001 7:09 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
>
> Your right and your wrong. If Microsoft would have released this before,
> this would have stop a lot of problems with virus. This attack by the
> "Nimda" is much worse to me as bandwidth problem in that the infected
> machine, I had no problems with my machines yet but the Other infected
> machine in the same class B subnet keep sending the following
> (Admin.dll%20e:\Admin.dll /winnt/system32/cmd.exe?/c+dir Etc...). Well
> the Imail web server has to answer this inquiry with a refresh page in
> my case Killerwebmail which is lot bigger than IIS 404 page. Both are a
> problem, so this software solve this problem by sending a very small
> response or redirect to the attacking server.
>
> Andrew
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Jonathan
> Sent: Wednesday, September 19, 2001 6:37 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Nimda Virus
>
> All? hehe .. all it does is do some filtering and bounds checking of
> against requests and posts to the server, as well as filtering some of
> the
> available options.  Do not mistake this as a conclusive measure against
> all
> attacks, it's only a filter. Many good admins have taken these same
> precautions years ago, with custom isapi filters.
>
> Jonathan
>
> At 06:04 PM 9/19/2001 -0400, you wrote:
>
> >Here is a very well keep secret from Microsoft. This will slove all
> >present and future virus problem with out pataches.
> >
> >http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
> r
> >ity/tools/URLscan.asp
> >
> >
> >Andrew
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> >Slade
> >Sent: Wednesday, September 19, 2001 10:28 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [imail] Nimda Virus
> >
> >The issue that allows the exploit was addressed by Microsoft in October
> >of 2000. If people would keep up on hot fixes, critical updates, and
> >service packs, people wouldn't would minimize the issues caused these
> >Trojans that use back doors in Windows that have already been fixed.
> >
> >To ENSURE that you have ALL of the hot fixes for your system installed
> >and applied, please visit the following URL and run the scanner. This
> >will work for Windows NT 4, 2000 Pro, Server, and Advanced Server.
> >
> >         http://www.microsoft.com/technet/mpsa/start.asp
> >
> >Run the scanner and it will tell you what hotfixes you're missing.
> >
> >Sincerely... Slade @ Here, Inc.
> >
> >______________________________________________
> >Make your mark today on the Internet. Register your
> >new domain today at www.RocketNIC.com for only
> >$12.95 per year!
> >
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> >Jason Williamson
> >Sent: Wednesday, September 19, 2001 7:13 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [imail] Nimda Virus
> >
> >
> >I'm running win2k advanced server with SP2 and have had no trouble.
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Webmaster Oilfield Directory
> >Sent: Wednesday, September 19, 2001 2:43 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [imail] Nimda Virus
> >
> >
> >This is the new security roll up package from microsoft at
> >www.microsoft.com/ntserver/sp6asrp.asp for NT 4.0 check it out... it
> >also says that any win2k system and i quote them "A new worm is
> >affecting many customers. However, systems that are up to date on
> >security patches are at little risk from it." Microsoft...
> >
> >Take it for what it's worth...
> >
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Chad Heugel
> >Sent: Tuesday, September 18, 2001 8:55 PM
> >To: [EMAIL PROTECTED]
> >Subject: Re: [imail] Nimda Virus
> >
> >
> >There was another update to NT4 they released, I believe it was July 26
> >or 27th of this year, that included all service releases since SP6a up
> >until that date and should have included the original patch that should
> >fix the vulnerability. It would essentially be Service pack 7 IMO, but
> >was not released with that designation.
> >
> >On the servers where that was installed via windowsupdate on the NT4
> >boxes they so far have shown no signs of infection to this point. As
> >have all SP2 Win2k machines. A few older NT4 boxes tho have shown these
> >signs, and even after cleaning, not quite sure if they have been
> >'cleansed' because they are still behaving strangely.
> >
> >I could be wrong, but this is only what I 'believe' to know as true. :)
> >
> >-Chh2
> >----- Original Message -----
> >From: "Charles Frolick" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Tuesday, September 18, 2001 10:18 PM
> >Subject: RE: [imail] Nimda Virus
> >
> >
> > > Tell me about it.  I still have two nt4.0, sp6a bricks.  About to
> try
> > > reapplying sp6a, hope that works.  Bummer is one of the boxes is my
> >secured
> > > site, and I don't have a backup of the key, and key manager says
> > > access denied, along with a bunch of other really needed files. If
> it
> > > weren't for cmd.com and it's utils I'd wouldn't be able to do much
> of
> > > anything. Would
> >be
> > > nice if I still had all the dos utils, got too used to doing it GUI
> > > (all
> >the
> > > floppies are probably past shelf life anyway).
> > >
> > > Chuck Frolick
> > > ArgoNet, Inc.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > David Rolling
> > > Sent: Tuesday, September 18, 2001 8:38 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [imail] Nimda Virus
> > >
> > >
> > > great list but you forgot about me*.tmp.exe files these are the base
> > > files for the mep*.tmp.exe files and can be reload by the iexplorer
> > > .exe the mmc.exe and winzip32.exe,MAPI32.DLL,MPR.DLL,system.ini
> files
> > > this is the worst virus/worm I have eve seen since being online for
> 5+
> >
> > > years..
> > >
> > >
> > > David Rolling
> > > www.infovue.net
> > > President
> > > 877-722-2162
> ========================================================
> > > On the Plains of Hesitation, Bleach the Bones of Countless
> > > Millions Who,
> > > at the Dawn of Victory, Sat Down to Wait and Waiting Died
> > > =========================================================
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Scot Desort
> > > Sent: Tuesday, September 18, 2001 9:31 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [imail] Nimda Virus
> > >
> > >
> > > I have cleaned (I think) one Win2k server. Here are the steps I
> >followed:
> > >
> > > Here's some suggestions that I've used successfully (so far at
> least).
> > > YMMV.
> > >
> > > Be sure and check your "Guest" user account.  The worm will enable
> it
> >and
> > > also put it in the local administrators group.
> > >
> > > To fix the web pages:
> > > Open one of them in notepad or something and look at the last line
> of
> >the
> > > file.  You should see:
> > > <html><script language="JavaScript">window.open("readme.eml", null,
> > > "resizable=no,top=6000,left=6000")</script></html>
> > >
> > > I used Search & Replace from www.funduc.com to search for this
> string
> >in
> >all
> > > *.htm, *.html, and *.asp files and remove it.
> > >
> > > Search for readme.eml, .eml, .nws, admin.dll, readme.exe,
> >riched20.dll.
> > > Delete them if the modified date on them is today.  Also, mmc.exe.
> >The
> >good
> > > one should be in \winnt\system32 and will be a larger file size.
> Note
> > > admin.dll is a valid file for Front Page and will have a smaller
> file
> >size
> > > and different date.
> > >
> > > Search for MEP*.TMP.EXE in the \temp directory and delete them.
> > >
> > > Look for root.exe in your web directories and remove it.
> > >
> > > Remove the drive shares on the root of your drives.
> > >
> > > Other files to look for are load.exe and a modified system.ini.  I
> did
> >not
> > > see these on NT.
> > >
> > > I also re-applied SP2 and rebooted.
> > >
> > > --
> > > Scot
> > >
> > >
> > > ----- Original Message -----
> > > From: "Charles Frolick" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, September 18, 2001 7:25 PM
> > > Subject: RE: [imail] Nimda Virus
> > >
> > >
> > > > Has anyone actually been able to completely remove the virus from
> >their
> > > > system and return to normal?  I have used several scanners, and
> >manually
> > > did
> > > > everything I can find documented and still I have two servers that
> > > > essentially paper weights since I cannot connect them to the
> >network,
> >and
> > > > they keep losing more and more functionality. (First lost use of
> > > > Explorer.exe to serial crashing, now several programs are saying
> >access
> > > > denied.)
> > > >
> > > > Chuck Frolick
> > > > ArgoNet, Inc.
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
> Of
> > > > Jasmine
> > > > Sent: Tuesday, September 18, 2001 3:37 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: [imail] Nimda Virus
> > > >
> > > >
> > > > Has anyone found a separate virus removal tool that does not rely
> on
> >anti-
> > > > virus software yet?
> > > >
> > > > Thanks.
> > > > J.
> > > >
> > > >
> > > >
> > > >
> >______________________________________________________________________
> > > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> >Inc.
> > > > Questions, Comments or Complain like Hell..
> >mailto:[EMAIL PROTECTED]
> > > > Message Archive...
> >http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > To Manage your Subscription.........
> >http://humankindsystems.com/lists
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >______________________________________________________________________
> > > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> >Inc.
> > > > Questions, Comments or Complain like Hell..
> >mailto:[EMAIL PROTECTED]
> > > > Message Archive...
> >http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > To Manage your Subscription.........
> >http://humankindsystems.com/lists
> > > >
> > >
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> Inc.
> > > Questions, Comments or Complain like Hell..
> mailto:[EMAIL PROTECTED]
> > > Message Archive...
> http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription.........
> http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> Inc.
> > > Questions, Comments or Complain like Hell..
> mailto:[EMAIL PROTECTED]
> > > Message Archive...
> http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription.........
> http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> Inc.
> > > Questions, Comments or Complain like Hell..
> mailto:[EMAIL PROTECTED]
> > > Message Archive...
> http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription.........
> http://humankindsystems.com/lists
> > >
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>




______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
Re: [imail] Nimda Virus

Reply via email to
