RE: [imail] Nimda Virus

Wed, 19 Sep 2001 17:40:39 -0700 

I haven't tried to get it to work with Imails webserver but it help protect
my IIS webservers then I have Trends server protect monitoring all servers
including my Imail server

David Rolling
www.infovue.net
President
877-722-2162
========================================================
On the Plains of Hesitation, Bleach the Bones of Countless
Millions Who,
at the Dawn of Victory, Sat Down to Wait and Waiting Died
=========================================================


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bob
Fehn
Sent: Wednesday, September 19, 2001 9:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [imail] Nimda Virus


Are you guys saying you were able to get URLScan to work with
Imail's built in Web Server?  If so, how?

Robert J. Fehn Sr. Senior Engineer
ProNet USA Inc.
International Internet Access
http://www.pro-usa.net



---------- Original Message ----------------------------------
From: "Chad Heugel" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Wed, 19 Sep 2001 20:19:23 -0400

>Detailed instructions for installing and using it are available
in the
>download package, or in Microsoft Knowledge Base article Q307608.
>
>The above also found at the bottom of the technet page which you
were
>referred to.
>
>-Chh2
>
>----- Original Message -----
>From: "Neil H." <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Wednesday, September 19, 2001 8:11 PM
>Subject: Re: [imail] Nimda Virus
>
>
>> Maybe I am dumb but I ran the setup now what?!
>>
>> Neil
>>
>> ----- Original Message -----
>> From: "David Rolling" <[EMAIL PROTECTED]>
>> To: <[EMAIL PROTECTED]>
>> Sent: Wednesday, September 19, 2001 7:58 PM
>> Subject: RE: [imail] Nimda Virus
>>
>>
>> > No I don't disagree it works.. but you can see how much a
time and
>energy
>> a
>> > day will make if you don't follow some of the security
lists.. they have
>> > saved me countless times even though I go to MS's site for
updates
>> daily...
>> >
>> > David Rolling
>> > www.infovue.net
>> > President
>> > 877-722-2162
>> > ========================================================
>> > On the Plains of Hesitation, Bleach the Bones of Countless
>> > Millions Who,
>> > at the Dawn of Victory, Sat Down to Wait and Waiting Died
>> > =========================================================
>> >
>> >
>> > -----Original Message-----
>> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of
>> > ACarroll
>> > Sent: Wednesday, September 19, 2001 7:47 PM
>> > To: [EMAIL PROTECTED]
>> > Subject: RE: [imail] Nimda Virus
>> >
>> >
>> > David,
>> >
>> > I guess you don't disagree that it works and would have
solved the
>> > problem? Also if Microsoft would have made this a standard
with IIS
>> > years ago then none of these Viruses would have been a
problem! So, my
>> > dll shows that it was released 9/11/2001 at 4 pm. And I only
found out
>> > about it today. I guess it doesn't matter about weeks.
>> >
>> > Andrew
>> >
>> >
>> > -----Original Message-----
>> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of
>> > David Rolling
>> > Sent: Wednesday, September 19, 2001 7:21 PM
>> > To: [EMAIL PROTECTED]
>> > Subject: RE: [imail] Nimda Virus
>> >
>> > well your wrong there.. MS released this almost 3 weeks ago..
>> >
>> > David Rolling
>> > www.infovue.net
>> > President
>> > 877-722-2162
>> > ========================================================
>> > On the Plains of Hesitation, Bleach the Bones of Countless
>> > Millions Who,
>> > at the Dawn of Victory, Sat Down to Wait and Waiting Died
>> > =========================================================
>> >
>> >
>> > -----Original Message-----
>> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of
>> > ACarroll
>> > Sent: Wednesday, September 19, 2001 7:09 PM
>> > To: [EMAIL PROTECTED]
>> > Subject: RE: [imail] Nimda Virus
>> >
>> >
>> > Your right and your wrong. If Microsoft would have released
this before,
>> > this would have stop a lot of problems with virus. This
attack by the
>> > "Nimda" is much worse to me as bandwidth problem in that the
infected
>> > machine, I had no problems with my machines yet but the Other
infected
>> > machine in the same class B subnet keep sending the following
>> > (Admin.dll%20e:\Admin.dll /winnt/system32/cmd.exe?/c+dir
Etc...). Well
>> > the Imail web server has to answer this inquiry with a
refresh page in
>> > my case Killerwebmail which is lot bigger than IIS 404 page.
Both are a
>> > problem, so this software solve this problem by sending a
very small
>> > response or redirect to the attacking server.
>> >
>> > Andrew
>> >
>> >
>> > -----Original Message-----
>> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of
>> > Jonathan
>> > Sent: Wednesday, September 19, 2001 6:37 PM
>> > To: [EMAIL PROTECTED]
>> > Subject: RE: [imail] Nimda Virus
>> >
>> > All? hehe .. all it does is do some filtering and bounds
checking of
>> > against requests and posts to the server, as well as
filtering some of
>> > the
>> > available options.  Do not mistake this as a conclusive
measure against
>> > all
>> > attacks, it's only a filter. Many good admins have taken
these same
>> > precautions years ago, with custom isapi filters.
>> >
>> > Jonathan
>> >
>> > At 06:04 PM 9/19/2001 -0400, you wrote:
>> >
>> > >Here is a very well keep secret from Microsoft. This will
slove all
>> > >present and future virus problem with out pataches.
>> > >
>> > >http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/secu
>> > r
>> > >ity/tools/URLscan.asp
>> > >
>> > >
>> > >Andrew
>> > >
>> > >-----Original Message-----
>> > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of
>> > >Slade
>> > >Sent: Wednesday, September 19, 2001 10:28 AM
>> > >To: [EMAIL PROTECTED]
>> > >Subject: RE: [imail] Nimda Virus
>> > >
>> > >The issue that allows the exploit was addressed by Microsoft
in October
>> > >of 2000. If people would keep up on hot fixes, critical
updates, and
>> > >service packs, people wouldn't would minimize the issues
caused these
>> > >Trojans that use back doors in Windows that have already
been fixed.
>> > >
>> > >To ENSURE that you have ALL of the hot fixes for your system
installed
>> > >and applied, please visit the following URL and run the
scanner. This
>> > >will work for Windows NT 4, 2000 Pro, Server, and Advanced
Server.
>> > >
>> > >         http://www.microsoft.com/technet/mpsa/start.asp
>> > >
>> > >Run the scanner and it will tell you what hotfixes you're
missing.
>> > >
>> > >Sincerely... Slade @ Here, Inc.
>> > >
>> > >______________________________________________
>> > >Make your mark today on the Internet. Register your
>> > >new domain today at www.RocketNIC.com for only
>> > >$12.95 per year!
>> > >
>> > >
>> > >-----Original Message-----
>> > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of
>> > >Jason Williamson
>> > >Sent: Wednesday, September 19, 2001 7:13 AM
>> > >To: [EMAIL PROTECTED]
>> > >Subject: RE: [imail] Nimda Virus
>> > >
>> > >
>> > >I'm running win2k advanced server with SP2 and have had no
trouble.
>> > >
>> > >-----Original Message-----
>> > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of
>> > >Webmaster Oilfield Directory
>> > >Sent: Wednesday, September 19, 2001 2:43 AM
>> > >To: [EMAIL PROTECTED]
>> > >Subject: RE: [imail] Nimda Virus
>> > >
>> > >
>> > >This is the new security roll up package from microsoft at
>> > >www.microsoft.com/ntserver/sp6asrp.asp for NT 4.0 check it
out... it
>> > >also says that any win2k system and i quote them "A new worm
is
>> > >affecting many customers. However, systems that are up to
date on
>> > >security patches are at little risk from it." Microsoft...
>> > >
>> > >Take it for what it's worth...
>> > >
>> > >
>> > >-----Original Message-----
>> > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of
>> > >Chad Heugel
>> > >Sent: Tuesday, September 18, 2001 8:55 PM
>> > >To: [EMAIL PROTECTED]
>> > >Subject: Re: [imail] Nimda Virus
>> > >
>> > >
>> > >There was another update to NT4 they released, I believe it
was July 26
>> > >or 27th of this year, that included all service releases
since SP6a up
>> > >until that date and should have included the original patch
that should
>> > >fix the vulnerability. It would essentially be Service pack
7 IMO, but
>> > >was not released with that designation.
>> > >
>> > >On the servers where that was installed via windowsupdate on
the NT4
>> > >boxes they so far have shown no signs of infection to this
point. As
>> > >have all SP2 Win2k machines. A few older NT4 boxes tho have
shown these
>> > >signs, and even after cleaning, not quite sure if they have
been
>> > >'cleansed' because they are still behaving strangely.
>> > >
>> > >I could be wrong, but this is only what I 'believe' to know
as true. :)
>> > >
>> > >-Chh2
>> > >----- Original Message -----
>> > >From: "Charles Frolick" <[EMAIL PROTECTED]>
>> > >To: <[EMAIL PROTECTED]>
>> > >Sent: Tuesday, September 18, 2001 10:18 PM
>> > >Subject: RE: [imail] Nimda Virus
>> > >
>> > >
>> > > > Tell me about it.  I still have two nt4.0, sp6a bricks.
About to
>> > try
>> > > > reapplying sp6a, hope that works.  Bummer is one of the
boxes is my
>> > >secured
>> > > > site, and I don't have a backup of the key, and key
manager says
>> > > > access denied, along with a bunch of other really needed
files. If
>> > it
>> > > > weren't for cmd.com and it's utils I'd wouldn't be able
to do much
>> > of
>> > > > anything. Would
>> > >be
>> > > > nice if I still had all the dos utils, got too used to
doing it GUI
>> > > > (all
>> > >the
>> > > > floppies are probably past shelf life anyway).
>> > > >
>> > > > Chuck Frolick
>> > > > ArgoNet, Inc.
>> > > >
>> > > > -----Original Message-----
>> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of
>> > > > David Rolling
>> > > > Sent: Tuesday, September 18, 2001 8:38 PM
>> > > > To: [EMAIL PROTECTED]
>> > > > Subject: RE: [imail] Nimda Virus
>> > > >
>> > > >
>> > > > great list but you forgot about me*.tmp.exe files these
are the base
>> > > > files for the mep*.tmp.exe files and can be reload by the
iexplorer
>> > > > .exe the mmc.exe and
winzip32.exe,MAPI32.DLL,MPR.DLL,system.ini
>> > files
>> > > > this is the worst virus/worm I have eve seen since being
online for
>> > 5+
>> > >
>> > > > years..
>> > > >
>> > > >
>> > > > David Rolling
>> > > > www.infovue.net
>> > > > President
>> > > > 877-722-2162
>> > ========================================================
>> > > > On the Plains of Hesitation, Bleach the Bones of Countless
>> > > > Millions Who,
>> > > > at the Dawn of Victory, Sat Down to Wait and Waiting Died
>> > > > =========================================================
>> > > >
>> > > >
>> > > > -----Original Message-----
>> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of
>> > > > Scot Desort
>> > > > Sent: Tuesday, September 18, 2001 9:31 PM
>> > > > To: [EMAIL PROTECTED]
>> > > > Subject: Re: [imail] Nimda Virus
>> > > >
>> > > >
>> > > > I have cleaned (I think) one Win2k server. Here are the
steps I
>> > >followed:
>> > > >
>> > > > Here's some suggestions that I've used successfully (so
far at
>> > least).
>> > > > YMMV.
>> > > >
>> > > > Be sure and check your "Guest" user account.  The worm
will enable
>> > it
>> > >and
>> > > > also put it in the local administrators group.
>> > > >
>> > > > To fix the web pages:
>> > > > Open one of them in notepad or something and look at the
last line
>> > of
>> > >the
>> > > > file.  You should see:
>> > > > <html><script language="JavaScript">window.open
("readme.eml", null,
>> > > > "resizable=no,top=6000,left=6000")</script></html>
>> > > >
>> > > > I used Search & Replace from www.funduc.com to search for
this
>> > string
>> > >in
>> > >all
>> > > > *.htm, *.html, and *.asp files and remove it.
>> > > >
>> > > > Search for readme.eml, .eml, .nws, admin.dll, readme.exe,
>> > >riched20.dll.
>> > > > Delete them if the modified date on them is today.  Also,
mmc.exe.
>> > >The
>> > >good
>> > > > one should be in \winnt\system32 and will be a larger
file size.
>> > Note
>> > > > admin.dll is a valid file for Front Page and will have a
smaller
>> > file
>> > >size
>> > > > and different date.
>> > > >
>> > > > Search for MEP*.TMP.EXE in the \temp directory and delete
them.
>> > > >
>> > > > Look for root.exe in your web directories and remove it.
>> > > >
>> > > > Remove the drive shares on the root of your drives.
>> > > >
>> > > > Other files to look for are load.exe and a modified
system.ini.  I
>> > did
>> > >not
>> > > > see these on NT.
>> > > >
>> > > > I also re-applied SP2 and rebooted.
>> > > >
>> > > > --
>> > > > Scot
>> > > >
>> > > >
>> > > > ----- Original Message -----
>> > > > From: "Charles Frolick" <[EMAIL PROTECTED]>
>> > > > To: <[EMAIL PROTECTED]>
>> > > > Sent: Tuesday, September 18, 2001 7:25 PM
>> > > > Subject: RE: [imail] Nimda Virus
>> > > >
>> > > >
>> > > > > Has anyone actually been able to completely remove the
virus from
>> > >their
>> > > > > system and return to normal?  I have used several
scanners, and
>> > >manually
>> > > > did
>> > > > > everything I can find documented and still I have two
servers that
>> > > > > essentially paper weights since I cannot connect them
to the
>> > >network,
>> > >and
>> > > > > they keep losing more and more functionality. (First
lost use of
>> > > > > Explorer.exe to serial crashing, now several programs
are saying
>> > >access
>> > > > > denied.)
>> > > > >
>> > > > > Chuck Frolick
>> > > > > ArgoNet, Inc.
>> > > > >
>> > > > > -----Original Message-----
>> > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf
>> > Of
>> > > > > Jasmine
>> > > > > Sent: Tuesday, September 18, 2001 3:37 PM
>> > > > > To: [EMAIL PROTECTED]
>> > > > > Subject: [imail] Nimda Virus
>> > > > >
>> > > > >
>> > > > > Has anyone found a separate virus removal tool that
does not rely
>> > on
>> > >anti-
>> > > > > virus software yet?
>> > > > >
>> > > > > Thanks.
>> > > > > J.
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> >
>__________________________________________________________________
____
>> > > > > The HKSI-IMail Admin List is hosted by........
Humankind Systems,
>> > >Inc.
>> > > > > Questions, Comments or Complain like Hell..
>> > >mailto:[EMAIL PROTECTED]
>> > > > > Message Archive...
>> > >http://www.tallylist.com/archives/index.cfm/mlist.4
>> > > > > To Manage your Subscription.........
>> > >http://humankindsystems.com/lists
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> >
>__________________________________________________________________
____
>> > > > > The HKSI-IMail Admin List is hosted by........
Humankind Systems,
>> > >Inc.
>> > > > > Questions, Comments or Complain like Hell..
>> > >mailto:[EMAIL PROTECTED]
>> > > > > Message Archive...
>> > >http://www.tallylist.com/archives/index.cfm/mlist.4
>> > > > > To Manage your Subscription.........
>> > >http://humankindsystems.com/lists
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> >
___________________________________________________________________
___
>> > > > The HKSI-IMail Admin List is hosted by........ Humankind
Systems,
>> > Inc.
>> > > > Questions, Comments or Complain like Hell..
>> > mailto:[EMAIL PROTECTED]
>> > > > Message Archive...
>> > http://www.tallylist.com/archives/index.cfm/mlist.4
>> > > > To Manage your Subscription.........
>> > http://humankindsystems.com/lists
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> >
___________________________________________________________________
___
>> > > > The HKSI-IMail Admin List is hosted by........ Humankind
Systems,
>> > Inc.
>> > > > Questions, Comments or Complain like Hell..
>> > mailto:[EMAIL PROTECTED]
>> > > > Message Archive...
>> > http://www.tallylist.com/archives/index.cfm/mlist.4
>> > > > To Manage your Subscription.........
>> > http://humankindsystems.com/lists
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> >
___________________________________________________________________
___
>> > > > The HKSI-IMail Admin List is hosted by........ Humankind
Systems,
>> > Inc.
>> > > > Questions, Comments or Complain like Hell..
>> > mailto:[EMAIL PROTECTED]
>> > > > Message Archive...
>> > http://www.tallylist.com/archives/index.cfm/mlist.4
>> > > > To Manage your Subscription.........
>> > http://humankindsystems.com/lists
>> > > >
>> > >
>> > >
>> > >
>> > >
>> >
>__________________________________________________________________
____
>> > >The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > >To Manage your Subscription.........
http://humankindsystems.com/lists
>> > >
>> > >
>> > >
>> > >
>> >
>__________________________________________________________________
____
>> > >The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > >To Manage your Subscription.........
http://humankindsystems.com/lists
>> > >
>> > >
>> > >
>> > >
>> >
>__________________________________________________________________
____
>> > >The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > >To Manage your Subscription.........
http://humankindsystems.com/lists
>> > >
>> > >
>> > >
>> > >
>> >
>__________________________________________________________________
____
>> > >The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > >To Manage your Subscription.........
http://humankindsystems.com/lists
>> > >
>> > >
>> > >
>> > >
>> >
>__________________________________________________________________
____
>> > >The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > >Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > >Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > >To Manage your Subscription.........
http://humankindsystems.com/lists
>> >
>> >
>> >
>> >
>> >
___________________________________________________________________
___
>> > The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > To Manage your Subscription.........
http://humankindsystems.com/lists
>> >
>> >
>> >
>> >
>> >
___________________________________________________________________
___
>> > The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > To Manage your Subscription.........
http://humankindsystems.com/lists
>> >
>> >
>> >
>> >
>> >
___________________________________________________________________
___
>> > The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > To Manage your Subscription.........
http://humankindsystems.com/lists
>> >
>> >
>> >
>> >
>> >
___________________________________________________________________
___
>> > The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > To Manage your Subscription.........
http://humankindsystems.com/lists
>> >
>> >
>> >
>> >
>> >
___________________________________________________________________
___
>> > The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> > Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> > Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> > To Manage your Subscription.........
http://humankindsystems.com/lists
>> >
>>
>>
>>
>>
>>
___________________________________________________________________
___
>> The HKSI-IMail Admin List is hosted by........ Humankind
Systems, Inc.
>> Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>> Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>> To Manage your Subscription.........
http://humankindsystems.com/lists
>>
>
>
>
>
>__________________________________________________________________
____
>The HKSI-IMail Admin List is hosted by........ Humankind Systems,
Inc.
>Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
>Message Archive...
http://www.tallylist.com/archives/index.cfm/mlist.4
>To Manage your Subscription.........
http://humankindsystems.com/lists
>








______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists




______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists

Reply via email to