I'm on a uk academic networking mailing list. this is the message from the technical people who manage this network. i've seen it wipe out two servers, leaving them unusable. you can't run .exe files for example. The virus infects systems running Microsoft Windows 95, 98, ME, NT, and 2000. This new worm appears to spread by multiple mechanisms: * from client to client via email * from client to client via open network shares * from web server to client via browsing of compromised web sites * from client to web server via active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability * from client to web server via scanning for the back doors left behind by the "Code Red II", and "sadmind/IIS" worms The virus can spread via email therefore if you receive an email with an attachment called README.EXE do not open the attachment. hope this helps. --- Begin Forwarded Message --- Date: Thu, 20 Sep 2001 10:29:48 +0100 From: Andrew Cormack <[EMAIL PROTECTED]> Subject: Nimda virus: clean-up warning and instructions Sender: [EMAIL PROTECTED] To: Receivers of CERT messages <[EMAIL PROTECTED]> Reply-To: Andrew Cormack <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> -----BEGIN PGP SIGNED MESSAGE----- We are still dealing with over a hundred sites suffering from infection by the Nimda worm. Please bear with us if our response is a little slower than usual. Several people have asked if there is a way to remove this worm from an infected system other than doing a complete re-install. A number of web sites are now offering instructions however due to the very large number of changes made by the worm to an infected system these are often complex and may not work in all circumstances. We have also had reports from sites who have attempted to clean systems by running virus checkers: they have found that in some cases the checker may remove an infected but vital part of the operating system, resulting in a system that had to be reinstalled from scratch anyway. If sites attempt to clean machines, rather than re-installing them, they should be sure to check for themselves that nothing has been overlooked in the instructions or by anti-virus software. If any doubt exists, or system administrators do not feel confident doing this, the machine should be reinstalled. The number of different system configurations, and the variety of virus infections, means that even instructions that work perfectly in one location will fail in another. The recommendation from JANET-CERT and most other security teams is that infected machines should be disconnected from the network, re-installed from scratch and patched before reconnecting. The Microsoft hotfix checking tool hfnetchk (http://www.microsoft.com/technet/security/tools/hfnetchk.asp) should be used to ensure that all patches are installed on machines before they are reconnected, including desktop machines. IIS servers should have the Code Red II checker/cleaner run on them also before they are patched to remove the backdoors that may have allowed the infection to take place. http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp ==== Network Associates have just released a virus removal tool, which can be downloaded from http://vil.nai.com/vil/virusSummary.asp?virus_k=99209. This removes infected files, so may well damage the system as it cleans it. There are preliminary instructions for removing the Nimda worm from affected systems available at http://www.f-secure.com/nimda/ from F-Secure (makers of F-Prot). Again, these may cause damage to the system during the process of disinfection. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQEVAwUBO6m3BXnoxmgUypZhAQGN1Qf9EJdza99VxsB4q5Sv818Tm8ZSC1ZjMOej 6+7Vd73/va7KfpEg9vonFun5XvQ9688OIWvzZxPykxQJmTf0Bk8dyBZaEqJaTBKB CSk50ysOMtRZyJLyFcXxoG2fjNLt+D+00mOL3td3BV16N21eCitPnG97trNynxWS 4r/VNdbyIq4TF5EYvcFtlrm1TnlxGykoEQ7mB0Ntj6aqgIUpEIELYbEwgf6j95UD l3slpaqpZftMkgOJaqevIesus6fIWr5Nxkd18a++Ky7Kva4ZmeCeW9r/vMsstcRX 5EOjzvRDjnx7MYh/3Jf3Y7nZki4VnDpKbC+2gcUOzDDnd83fiefjEg== =QGNi -----END PGP SIGNATURE----- -------------------------------------------------------------- Andrew Cormack Head of CERT UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS Phone: 01235 822 302 E-mail: [EMAIL PROTECTED] Fax: 01235 822 398 --- End Forwarded Message --- -- Ian [EMAIL PROTECTED] Home page http://www.kcl.ac.uk/kis/support/cit//fortran/ comp-fortran-90 home page http://www.jiscmail.ac.uk/lists/comp-fortran-90.html
