Re: [imail] Nimda Virus

Chad Heugel Wed, 19 Sep 2001 16:55:04 -0700
Sorry, it cut the hyperlink off the Article #.

http://support.microsoft.com/directory/article.asp?id=KB;EN-US;q307608

-Chh2
----- Original Message -----
From: "Chad Heugel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 8:19 PM
Subject: Re: [imail] Nimda Virus


> Detailed instructions for installing and using it are available in the
> download package, or in Microsoft Knowledge Base article Q307608.
>
> The above also found at the bottom of the technet page which you were
> referred to.
>
> -Chh2
>
> ----- Original Message -----
> From: "Neil H." <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 19, 2001 8:11 PM
> Subject: Re: [imail] Nimda Virus
>
>
> > Maybe I am dumb but I ran the setup now what?!
> >
> > Neil
> >
> > ----- Original Message -----
> > From: "David Rolling" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 19, 2001 7:58 PM
> > Subject: RE: [imail] Nimda Virus
> >
> >
> > > No I don't disagree it works.. but you can see how much a time and
> energy
> > a
> > > day will make if you don't follow some of the security lists.. they
have
> > > saved me countless times even though I go to MS's site for updates
> > daily...
> > >
> > > David Rolling
> > > www.infovue.net
> > > President
> > > 877-722-2162
> > > ========================================================
> > > On the Plains of Hesitation, Bleach the Bones of Countless
> > > Millions Who,
> > > at the Dawn of Victory, Sat Down to Wait and Waiting Died
> > > =========================================================
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > ACarroll
> > > Sent: Wednesday, September 19, 2001 7:47 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [imail] Nimda Virus
> > >
> > >
> > > David,
> > >
> > > I guess you don't disagree that it works and would have solved the
> > > problem? Also if Microsoft would have made this a standard with IIS
> > > years ago then none of these Viruses would have been a problem! So, my
> > > dll shows that it was released 9/11/2001 at 4 pm. And I only found out
> > > about it today. I guess it doesn't matter about weeks.
> > >
> > > Andrew
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > > David Rolling
> > > Sent: Wednesday, September 19, 2001 7:21 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [imail] Nimda Virus
> > >
> > > well your wrong there.. MS released this almost 3 weeks ago..
> > >
> > > David Rolling
> > > www.infovue.net
> > > President
> > > 877-722-2162
> > > ========================================================
> > > On the Plains of Hesitation, Bleach the Bones of Countless
> > > Millions Who,
> > > at the Dawn of Victory, Sat Down to Wait and Waiting Died
> > > =========================================================
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > ACarroll
> > > Sent: Wednesday, September 19, 2001 7:09 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [imail] Nimda Virus
> > >
> > >
> > > Your right and your wrong. If Microsoft would have released this
before,
> > > this would have stop a lot of problems with virus. This attack by the
> > > "Nimda" is much worse to me as bandwidth problem in that the infected
> > > machine, I had no problems with my machines yet but the Other infected
> > > machine in the same class B subnet keep sending the following
> > > (Admin.dll%20e:\Admin.dll /winnt/system32/cmd.exe?/c+dir Etc...). Well
> > > the Imail web server has to answer this inquiry with a refresh page in
> > > my case Killerwebmail which is lot bigger than IIS 404 page. Both are
a
> > > problem, so this software solve this problem by sending a very small
> > > response or redirect to the attacking server.
> > >
> > > Andrew
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > > Jonathan
> > > Sent: Wednesday, September 19, 2001 6:37 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [imail] Nimda Virus
> > >
> > > All? hehe .. all it does is do some filtering and bounds checking of
> > > against requests and posts to the server, as well as filtering some of
> > > the
> > > available options.  Do not mistake this as a conclusive measure
against
> > > all
> > > attacks, it's only a filter. Many good admins have taken these same
> > > precautions years ago, with custom isapi filters.
> > >
> > > Jonathan
> > >
> > > At 06:04 PM 9/19/2001 -0400, you wrote:
> > >
> > > >Here is a very well keep secret from Microsoft. This will slove all
> > > >present and future virus problem with out pataches.
> > > >
> > >
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
> > > r
> > > >ity/tools/URLscan.asp
> > > >
> > > >
> > > >Andrew
> > > >
> > > >-----Original Message-----
> > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > > >Slade
> > > >Sent: Wednesday, September 19, 2001 10:28 AM
> > > >To: [EMAIL PROTECTED]
> > > >Subject: RE: [imail] Nimda Virus
> > > >
> > > >The issue that allows the exploit was addressed by Microsoft in
October
> > > >of 2000. If people would keep up on hot fixes, critical updates, and
> > > >service packs, people wouldn't would minimize the issues caused these
> > > >Trojans that use back doors in Windows that have already been fixed.
> > > >
> > > >To ENSURE that you have ALL of the hot fixes for your system
installed
> > > >and applied, please visit the following URL and run the scanner. This
> > > >will work for Windows NT 4, 2000 Pro, Server, and Advanced Server.
> > > >
> > > >         http://www.microsoft.com/technet/mpsa/start.asp
> > > >
> > > >Run the scanner and it will tell you what hotfixes you're missing.
> > > >
> > > >Sincerely... Slade @ Here, Inc.
> > > >
> > > >______________________________________________
> > > >Make your mark today on the Internet. Register your
> > > >new domain today at www.RocketNIC.com for only
> > > >$12.95 per year!
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > > >Jason Williamson
> > > >Sent: Wednesday, September 19, 2001 7:13 AM
> > > >To: [EMAIL PROTECTED]
> > > >Subject: RE: [imail] Nimda Virus
> > > >
> > > >
> > > >I'm running win2k advanced server with SP2 and have had no trouble.
> > > >
> > > >-----Original Message-----
> > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > >Webmaster Oilfield Directory
> > > >Sent: Wednesday, September 19, 2001 2:43 AM
> > > >To: [EMAIL PROTECTED]
> > > >Subject: RE: [imail] Nimda Virus
> > > >
> > > >
> > > >This is the new security roll up package from microsoft at
> > > >www.microsoft.com/ntserver/sp6asrp.asp for NT 4.0 check it out... it
> > > >also says that any win2k system and i quote them "A new worm is
> > > >affecting many customers. However, systems that are up to date on
> > > >security patches are at little risk from it." Microsoft...
> > > >
> > > >Take it for what it's worth...
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > >Chad Heugel
> > > >Sent: Tuesday, September 18, 2001 8:55 PM
> > > >To: [EMAIL PROTECTED]
> > > >Subject: Re: [imail] Nimda Virus
> > > >
> > > >
> > > >There was another update to NT4 they released, I believe it was July
26
> > > >or 27th of this year, that included all service releases since SP6a
up
> > > >until that date and should have included the original patch that
should
> > > >fix the vulnerability. It would essentially be Service pack 7 IMO,
but
> > > >was not released with that designation.
> > > >
> > > >On the servers where that was installed via windowsupdate on the NT4
> > > >boxes they so far have shown no signs of infection to this point. As
> > > >have all SP2 Win2k machines. A few older NT4 boxes tho have shown
these
> > > >signs, and even after cleaning, not quite sure if they have been
> > > >'cleansed' because they are still behaving strangely.
> > > >
> > > >I could be wrong, but this is only what I 'believe' to know as true.
:)
> > > >
> > > >-Chh2
> > > >----- Original Message -----
> > > >From: "Charles Frolick" <[EMAIL PROTECTED]>
> > > >To: <[EMAIL PROTECTED]>
> > > >Sent: Tuesday, September 18, 2001 10:18 PM
> > > >Subject: RE: [imail] Nimda Virus
> > > >
> > > >
> > > > > Tell me about it.  I still have two nt4.0, sp6a bricks.  About to
> > > try
> > > > > reapplying sp6a, hope that works.  Bummer is one of the boxes is
my
> > > >secured
> > > > > site, and I don't have a backup of the key, and key manager says
> > > > > access denied, along with a bunch of other really needed files. If
> > > it
> > > > > weren't for cmd.com and it's utils I'd wouldn't be able to do much
> > > of
> > > > > anything. Would
> > > >be
> > > > > nice if I still had all the dos utils, got too used to doing it
GUI
> > > > > (all
> > > >the
> > > > > floppies are probably past shelf life anyway).
> > > > >
> > > > > Chuck Frolick
> > > > > ArgoNet, Inc.
> > > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of
> > > > > David Rolling
> > > > > Sent: Tuesday, September 18, 2001 8:38 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [imail] Nimda Virus
> > > > >
> > > > >
> > > > > great list but you forgot about me*.tmp.exe files these are the
base
> > > > > files for the mep*.tmp.exe files and can be reload by the
iexplorer
> > > > > .exe the mmc.exe and winzip32.exe,MAPI32.DLL,MPR.DLL,system.ini
> > > files
> > > > > this is the worst virus/worm I have eve seen since being online
for
> > > 5+
> > > >
> > > > > years..
> > > > >
> > > > >
> > > > > David Rolling
> > > > > www.infovue.net
> > > > > President
> > > > > 877-722-2162
> > > ========================================================
> > > > > On the Plains of Hesitation, Bleach the Bones of Countless
> > > > > Millions Who,
> > > > > at the Dawn of Victory, Sat Down to Wait and Waiting Died
> > > > > =========================================================
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of
> > > > > Scot Desort
> > > > > Sent: Tuesday, September 18, 2001 9:31 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: Re: [imail] Nimda Virus
> > > > >
> > > > >
> > > > > I have cleaned (I think) one Win2k server. Here are the steps I
> > > >followed:
> > > > >
> > > > > Here's some suggestions that I've used successfully (so far at
> > > least).
> > > > > YMMV.
> > > > >
> > > > > Be sure and check your "Guest" user account.  The worm will enable
> > > it
> > > >and
> > > > > also put it in the local administrators group.
> > > > >
> > > > > To fix the web pages:
> > > > > Open one of them in notepad or something and look at the last line
> > > of
> > > >the
> > > > > file.  You should see:
> > > > > <html><script language="JavaScript">window.open("readme.eml",
null,
> > > > > "resizable=no,top=6000,left=6000")</script></html>
> > > > >
> > > > > I used Search & Replace from www.funduc.com to search for this
> > > string
> > > >in
> > > >all
> > > > > *.htm, *.html, and *.asp files and remove it.
> > > > >
> > > > > Search for readme.eml, .eml, .nws, admin.dll, readme.exe,
> > > >riched20.dll.
> > > > > Delete them if the modified date on them is today.  Also, mmc.exe.
> > > >The
> > > >good
> > > > > one should be in \winnt\system32 and will be a larger file size.
> > > Note
> > > > > admin.dll is a valid file for Front Page and will have a smaller
> > > file
> > > >size
> > > > > and different date.
> > > > >
> > > > > Search for MEP*.TMP.EXE in the \temp directory and delete them.
> > > > >
> > > > > Look for root.exe in your web directories and remove it.
> > > > >
> > > > > Remove the drive shares on the root of your drives.
> > > > >
> > > > > Other files to look for are load.exe and a modified system.ini.  I
> > > did
> > > >not
> > > > > see these on NT.
> > > > >
> > > > > I also re-applied SP2 and rebooted.
> > > > >
> > > > > --
> > > > > Scot
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Charles Frolick" <[EMAIL PROTECTED]>
> > > > > To: <[EMAIL PROTECTED]>
> > > > > Sent: Tuesday, September 18, 2001 7:25 PM
> > > > > Subject: RE: [imail] Nimda Virus
> > > > >
> > > > >
> > > > > > Has anyone actually been able to completely remove the virus
from
> > > >their
> > > > > > system and return to normal?  I have used several scanners, and
> > > >manually
> > > > > did
> > > > > > everything I can find documented and still I have two servers
that
> > > > > > essentially paper weights since I cannot connect them to the
> > > >network,
> > > >and
> > > > > > they keep losing more and more functionality. (First lost use of
> > > > > > Explorer.exe to serial crashing, now several programs are saying
> > > >access
> > > > > > denied.)
> > > > > >
> > > > > > Chuck Frolick
> > > > > > ArgoNet, Inc.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf
> > > Of
> > > > > > Jasmine
> > > > > > Sent: Tuesday, September 18, 2001 3:37 PM
> > > > > > To: [EMAIL PROTECTED]
> > > > > > Subject: [imail] Nimda Virus
> > > > > >
> > > > > >
> > > > > > Has anyone found a separate virus removal tool that does not
rely
> > > on
> > > >anti-
> > > > > > virus software yet?
> > > > > >
> > > > > > Thanks.
> > > > > > J.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > >
>______________________________________________________________________
> > > > > > The HKSI-IMail Admin List is hosted by........ Humankind
Systems,
> > > >Inc.
> > > > > > Questions, Comments or Complain like Hell..
> > > >mailto:[EMAIL PROTECTED]
> > > > > > Message Archive...
> > > >http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > > > To Manage your Subscription.........
> > > >http://humankindsystems.com/lists
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > >
>______________________________________________________________________
> > > > > > The HKSI-IMail Admin List is hosted by........ Humankind
Systems,
> > > >Inc.
> > > > > > Questions, Comments or Complain like Hell..
> > > >mailto:[EMAIL PROTECTED]
> > > > > > Message Archive...
> > > >http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > > > To Manage your Subscription.........
> > > >http://humankindsystems.com/lists
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > ______________________________________________________________________
> > > > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> > > Inc.
> > > > > Questions, Comments or Complain like Hell..
> > > mailto:[EMAIL PROTECTED]
> > > > > Message Archive...
> > > http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > > To Manage your Subscription.........
> > > http://humankindsystems.com/lists
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > ______________________________________________________________________
> > > > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> > > Inc.
> > > > > Questions, Comments or Complain like Hell..
> > > mailto:[EMAIL PROTECTED]
> > > > > Message Archive...
> > > http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > > To Manage your Subscription.........
> > > http://humankindsystems.com/lists
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > ______________________________________________________________________
> > > > > The HKSI-IMail Admin List is hosted by........ Humankind Systems,
> > > Inc.
> > > > > Questions, Comments or Complain like Hell..
> > > mailto:[EMAIL PROTECTED]
> > > > > Message Archive...
> > > http://www.tallylist.com/archives/index.cfm/mlist.4
> > > > > To Manage your Subscription.........
> > > http://humankindsystems.com/lists
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
>______________________________________________________________________
> > > >The HKSI-IMail Admin List is hosted by........ Humankind Systems,
Inc.
> > > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
> > > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
> > > >To Manage your Subscription.........
http://humankindsystems.com/lists
> > > >
> > > >
> > > >
> > > >
> > >
>______________________________________________________________________
> > > >The HKSI-IMail Admin List is hosted by........ Humankind Systems,
Inc.
> > > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
> > > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
> > > >To Manage your Subscription.........
http://humankindsystems.com/lists
> > > >
> > > >
> > > >
> > > >
> > >
>______________________________________________________________________
> > > >The HKSI-IMail Admin List is hosted by........ Humankind Systems,
Inc.
> > > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
> > > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
> > > >To Manage your Subscription.........
http://humankindsystems.com/lists
> > > >
> > > >
> > > >
> > > >
> > >
>______________________________________________________________________
> > > >The HKSI-IMail Admin List is hosted by........ Humankind Systems,
Inc.
> > > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
> > > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
> > > >To Manage your Subscription.........
http://humankindsystems.com/lists
> > > >
> > > >
> > > >
> > > >
> > >
>______________________________________________________________________
> > > >The HKSI-IMail Admin List is hosted by........ Humankind Systems,
Inc.
> > > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
> > > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
> > > >To Manage your Subscription.........
http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> > >
> > >
> > >
> > > ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > > To Manage your Subscription......... http://humankindsystems.com/lists
> > >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>




______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
Re: [imail] Nimda Virus

Reply via email to
