RE: InoculateIT opinions

[RZorz]

Title: RE: InoculateIT opinions





As a Panda user, I can only ask 'why?'


-Original Message-
From: Lefkovics, William [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 2:46 PM
To: NT System Admin Issues
Subject: RE: InoculateIT opinions



And yet Boeing chose Panda for their huge deployment.



-Original Message-
From: David Hekimian [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 2:46 PM
To: NT System Admin Issues
Subject: Re: InoculateIT opinions



Steve,


Seriously take a look at TrendMicro's virus scan offering - OfficeScan
Corporate Edition. I've used Symantec's Norton Antivirus, CA's InoculateIT,
McAfee's VirusScan and countless others..


TrendMicro does workgroup AV right! From a centralized managemnet console
(web based) to deploy to new users, set policies on the local client (Set
whether the user can disable OfficeScan or not, etc.),  and automatic
updates of virus definitions and deployment to desktops.


Also, Look at TrendMicro's NeatSuite. It a combination of OfficeScan,
ScanMail and InterScan Viruswall for about the same price as just 1 of the
products.



- David


- Original Message -
From: "Steve Frenzl" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Friday, September 28, 2001 11:50 AM
Subject: InoculateIT opinions



>
> My company is looking for a workgroup AV and I was curious what the
> opinions were of Inoculate. From past threads, the consensus seems to be
> that Norton is better than Mcafee but I don't remember seeing Inoculate
> discussed. Any input is appreciated.
>
> Steve Frenzl
> Systems Administrator
> Farmer Automotive Group
>


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Backup - recommendation please?

[RZorz]

Title: RE: Backup - recommendation please?





Unless I got my demos crossed, I thought it could handle open files. You should be able to retrieve a deleted e-mail immediately if I'm not mistaken (I know, bad example)

-Original Message-
From: Greg Page [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 2:18 PM
To: NT System Admin Issues
Subject: RE: Backup - recommendation please?



Doesn't Live Vault backup the file only after it is closed? It appears as if
some files never get closed. But Live Vault is a solid choice.


Greg



-Original Message-
From: Dempster, Mark [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 28, 2001 12:30 PM
To: NT System Admin Issues
Subject: RE: Backup - recommendation please?



Thanks, Mark (and everyone else that replied).  I'll look into that.


Mark


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 02:47
To: NT System Admin Issues
Subject: RE: Backup - recommendation please?



Yes, LiveVault is what you are looking for.  Real time backup.
http://vs46311.server-store.com/store/page.inetstore?id=3
   


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: September 28, 2001 9:04 AM
To: NT System Admin Issues
Subject: RE: Backup - recommendation please?




Seems to me something like livevault (I think that was it) would work. 


-Original Message- 
From: Dempster, Mark [ mailto:[EMAIL PROTECTED]
 ] 
Sent: Friday, September 28, 2001 2:03 AM 
To: NT System Admin Issues 
Subject: Backup - recommendation please? 



Hi, 


I'm looking for a backup solution for a new customer.  We normally use 
unenhanced versions of Backup Exec or Arcserve, & back the system up out of 
hours.  Unfortunately this customer needs to work 24/7.  


The software my company produces uses a well-known accounting package at its


core, which stores its data in a very large number of files which are 
related to each other.  It isn't possible to use a normal 'backup open 
files' approach since if two related files are backed up - but new data has 
been added in-between - restoring them will leave the system in an 
inconsistent state. 


So, I think what's needed (if such a thing exists) is a product that will 
take a snapshot of an entire directory (inc. subdirs) and back that up - 
while leaving the system usable (a moderate slowdown is acceptable).  Does 
anyone know if there's an add-on for our normal backup tools (or even a 
completely different product) that can do what I'm asking?  If so, what's 
your experience of it? 


Thanks, 


Mark 


Mark Dempster 
Technical Consultant 
Infor:Swan Business Solutions 
Me transmitte sursum, Caledoni! 



_ 
This message has been checked for all known viruses by Star Internet 
delivered through the MessageLabs Virus Scanning Service. For further 
information visit http://www.star.net.uk/stats.asp
  or alternatively call 
Star Internet for details on the Virus Scanning Service. 


Want to unsub? Do that here: 
http://www.w2knews.com/rd/rd.cfm?id=unsub
  
Need a good FAQ? Try this one first: 
http://www.ultratech-llc.com/KB/   


Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/




Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/



_
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.


_
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.


Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Network Traffic

[RZorz]

Title: RE: Network Traffic





Our host, Sunbelt, has Netboy.  


-Original Message-
From: Carlos Garcia-Moran [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 1:57 PM
To: NT System Admin Issues
Subject: RE: Network Traffic



Well, My boss doesn't mind spending the cash (unless we talking about
20K or more, then It's paperwork HELL!) as long as I can prove the tool
has some worth. He is big into monitoring :)


-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 28, 2001 4:52 PM
To: NT System Admin Issues
Subject: RE: Network Traffic



If you're willing to spend the $$$ take a look at Packeteer PacketShaper


-Original Message-
From: Carlos Garcia-Moran [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 28, 2001 1:50 PM
To: NT System Admin Issues
Subject: Network Traffic



Heyas!


Can anyone suggest a good tool for network traffic monitoring? We have
all HP Procurve Switches and use TopTools, but it doesn't seem that good
(unless im just missing some config options). For example we wanted to
track down a user that was pegging our T @ 97% utilization (he had 15
"family guy" downloads on morpheus at the same time) and TT did not tell
us much. We finally tracked him down by using firewall logs...kind of
time consuming


Any good ideas


Cheers


Carlos Garcia-Moran
Senior Network Engineer
Athenahealth, INC
781.392.0157 Main
617.543.1701 Cell
[EMAIL PROTECTED]



Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/



Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: InoculateIT opinions

[RZorz]

Title: RE: InoculateIT opinions





I could swear Roger of Peregrine did an analysis of what was out there.  Care to share?  Sophos, for example, doesn't get much ink either. 

-Original Message-
From: Steve Frenzl [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 11:51 AM
To: NT System Admin Issues
Subject: InoculateIT opinions




My company is looking for a workgroup AV and I was curious what the
opinions were of Inoculate. From past threads, the consensus seems to be
that Norton is better than Mcafee but I don't remember seeing Inoculate
discussed. Any input is appreciated.


Steve Frenzl
Systems Administrator
Farmer Automotive Group



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Workstation Naming Standards

[RZorz]

Title: RE: Workstation Naming Standards



Our 
servers were named after Little Rascal characters, because before-my-time they 
had a contest.  At least it's easier to explain that Darla does this 
and Spanky does that.  I worked for an integrator that came up with 
these really cryptic server names based on location/function, and frankly I've 
yet to see an advantage. It only helped OUR people if we came back, which 
of course we rarely did. 
 
The 
important thing is you can find the machine for both troubleshooting and 
inventory.  

  -Original Message-From: Miley, Dan 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 7:11 
  AMTo: NT System Admin IssuesSubject: RE: Workstation 
  Naming Standards
  3 
  digit city, 1 digit OS, then machine inventory/asset tag# (this ties it back 
  to the inventory and username.)
   
  looks like we may be doing something similar with servers 
  soon.
   
  I 
  don't like the way 2000 automatically names machines 
  -.  totally useless for 
  finding machines.
   
  I 
  did work at one site where they named their servers after star trek 
  characters.   it sounded funny when they said "Spock crashed again", 
  " Can you reboot Spock".
   
  Dan
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Thursday, September 27, 
2001 2:06 PMTo: NT System Admin IssuesSubject: RE: 
Workstation Naming Standards
I use the user name, but I've got a small 50 person 
installation. I change the name if the person changes.  It simplifies 
figuring out who's having a problem, because I know everyone. Tougher in a 
large organization. 
I sure as heck wouldn't agonize over it. You want to be able 
to browse a list to pinpoint who's having a problem. And if necessary tie 
that back to some inventory/allocation information.  Serial Number 
would probably work if you have a good inventory system.   

-Original Message- From: 
David James [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 27, 2001 10:11 AM 
To: NT System Admin Issues Subject: 
RE: Workstation Naming Standards 
I don't use user names.  What happens when that 
employee quits? You have to rename their machine as 
part of setting up a new user? I would use 
City_Dept_JobFunction then add a number for multiple job functions. DJ 
-Original Message- From: 
Osama S. [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 27, 2001 12:05 PM 
To: NT System Admin Issues Subject: 
Workstation Naming Standards 
hi, 
we will be deploying Win2K from scratch on the user's 
machines (around 700) replacing NT 4. SO I was 
reviewing our machine naming convention. 
Our Offices are located in two cities, one single 
domain. So far we would use something like 
"CityName-Department-User Real Name" (where city 
name and department are abbrevations) to name workstations. 
Usually the NT Names are the users Company ID, which is 
unique. 
I was wondering how you guys/girls are naming your 
workstations and users. 
regards 
Uso 
Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub 
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/ 

Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub 
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/ 
Want to unsub? Do that 
here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
this one first:http://www.ultratech-llc.com/KB/Want to 
  unsub? Do that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a 
  good FAQ? Try this one first:http://www.ultratech-llc.com/KB/
  This e-mail may be privileged and/or confidential, 
  and the sender does not waive any related rights and obligations. Any 
  distribution, use or copying of this e-mail or the information it contains by 
  other than an intended recipient is unauthorized. If you received this e-mail 
  in error, please advise me (by return e-mail or otherwise) immediately. 
  
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Intermittent Network logon problem

[RZorz]

Title: RE: Intermittent Network logon problem





Never used setprfdc.  Does it tell you that it connected to the DC that you think it should connect to?  


Somebody posted a way to see what DC your authenticated against. 


-Original Message-
From: Troy Rambo /278 Systems Specialist [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 6:26 AM
To: NT System Admin Issues
Subject: Intermittent Network logon problem



One of our BDC's (our DNS server) on our NT4 network went down two weeks ago
and was unrecoverable, so we had to rebuild it from scratch.  Ever since
then we have had an erratic logon problems throughout our network.  Yes we
are running DHCP.  It's all one subnet and each different building has it's
own BDC that the users are pointed to using setprfdc to use as their
preferred domain controller.


When logging on, my users will occasionally not get their logon script to
run even though they are logged into the network.  Upon reboot and relogging
in, it then it maps fine.  It's never on the same machine twice, and it's in
every corner of our network across three linked building across two city
blocks.


Sometimes it takes turning the machine off for a couple of minutes before
rebooting in order for it to connect to the BDC to run their script.


I'm running out of ideas here.  Does anyone have any ideas how I can
troubleshoot this?  I'm going nuts running all over the place, trying to
figure this one out.


Your ideas are greatly appreciated.


Thanks


Troy


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: List or BBS

[RZorz]

I 
don't get it. If you don't like the e-mail, then say NO MAIL and read/respond 
to the postings thru the website.  Or get the digest. 


  -Original Message-From: Chris Shattock 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 1:06 
  AMTo: NT System Admin IssuesSubject: List or 
  BBS
  These lists are a PITA - but not worth giving up. 
  Have you (Sunbelt) or this forums' correspondents considered using a Bulletin 
  Board System - such as that by Infopop - Ultimate BBS.
   
  A couple of years ago in the (Y)UK The 
  Professional Contractors Group (anti-IR35) set their 'forums' up this way - 
  and it ran far better than a list - I believe it's still going - but a lot of 
  others use Ultimate BBS - check from http://www.infopop.com/ 
   
  I am not a reseller etc. - but it is a real pain 
  dealing with a list when all you can get a 64K ISDN BRI in some 'third-world' 
  country with a crap telecomm. system and you need that link for remote 
  sysadmin/support/development. A BBS would enable me to use my connection more 
  efficiently - and may ease your (Sunbelt) admin. issues.
   
  Chris ShattockWant to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Backup - recommendation please?

[RZorz]

Title: RE: Backup - recommendation please?





Seems to me something like livevault (I think that was it) would work. 


-Original Message-
From: Dempster, Mark [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 2:03 AM
To: NT System Admin Issues
Subject: Backup - recommendation please?



Hi,


I'm looking for a backup solution for a new customer.  We normally use
unenhanced versions of Backup Exec or Arcserve, & back the system up out of
hours.  Unfortunately this customer needs to work 24/7.  


The software my company produces uses a well-known accounting package at its
core, which stores its data in a very large number of files which are
related to each other.  It isn't possible to use a normal 'backup open
files' approach since if two related files are backed up - but new data has
been added in-between - restoring them will leave the system in an
inconsistent state.


So, I think what's needed (if such a thing exists) is a product that will
take a snapshot of an entire directory (inc. subdirs) and back that up -
while leaving the system usable (a moderate slowdown is acceptable).  Does
anyone know if there's an add-on for our normal backup tools (or even a
completely different product) that can do what I'm asking?  If so, what's
your experience of it?


Thanks,


Mark


Mark Dempster
Technical Consultant
Infor:Swan Business Solutions
Me transmitte sursum, Caledoni!



_
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Exchange/Outlook Alternatives

[RZorz]

Title: RE: Exchange/Outlook Alternatives





Aren't there a couple ASP-type companies out there providing this kind of service? I think some are even using Exchange. 

-Original Message-
From: Clark, Steve [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 27, 2001 5:08 PM
To: NT System Admin Issues
Subject: RE: Exchange/Outlook Alternatives



Mark -


We're in the same boat. Regardless of how many times I ask the same
question, I get the same answer - nothing compares to Exchange. As servers
are cheap in the overall scheme of things - if the company can not afford to
do Exchange, I still rely on ISP mail. In between the ISP and the office, I
use a software product called Software 602 which handles the pull portion.
In addition, I looked at the email from Deerfield but am REALLY pissed at
them and will not resell or purchase any of their products anymore.


Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
"Who's watching your network?"
www.clarksupport.com
    301-610-9584 voice
    240-465-0323 Efax


-Original Message-
From: Mark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 27, 2001 7:56 PM
To: NT System Admin Issues
Subject: Exchange/Outlook Alternatives


I'm constantly asked for recommendations on VIABLE alternatives to the
MS Outlook/Exchange groupware system. Let's face it: Exchange is
expensive, and does a lot of things that most of my SMB customers will
never need. I've seen a few different products, but have yet to find one
that integrates and works as well as Outlook with an Exchange server.


Do you guys have any ideas on substitutes. The main core features that
most SMB's use would be the scheduling/calendaring , POP/IMAP email, and
address book. It'd be nice to have the whole lot integrated, but
seperate products with a good UI would do. The email and address book
clients are easy enough to find, but what about calendaring? Something
with the ability to both share an office calendar, and have seperate
(but viewable) calendars for each worker. Editor priveleges for a
secretary on specific calendars would be a plus, as well. To complicate
it a bit further, how about something that would work on a peer-to-peer
network (< 10 PC's) with no dedicated server? Any thoughts?


Yí¶‹Z鏶zm
6岒w&ᮚ'{lמu(@A:牤w-i⁦0⁵m歫^req&楨


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Files keep disappearing from the winnt dir

[RZorz]

Title: Message



Find 
an undelete program and see if they show up. 

  -Original Message-From: Greg Page 
  [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 27, 2001 4:33 
  PMTo: NT System Admin IssuesSubject: RE: Files keep 
  disappearing from the winnt dir
  Gremlins are doing it. 
   
  We 
  used to occasionally lose WINS entries every once in awhile and no one could 
  connect to the server. That was with NT 4.0. With 2000, I haven't had any 
  issues like that.
   
   
  Greg
  

-Original Message-From: John Cesta - 
Lists [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 27, 
2001 3:10 PMTo: NT System Admin IssuesSubject: RE: 
Files keep disappearing from the winnt dir
Nothing in the event logs. I thinik I will turn on auditing. Today 
the files were gone in a matter or 1 hour after I copied them in the 
directory.
 
John

  -Original Message-From: Ian Kelly 
  [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 27, 2001 
  2:59 PMTo: NT System Admin IssuesSubject: RE: Files 
  keep disappearing from the winnt dir
  
  Anything in the 
  event logs? Is auditing turned on?
   
  
  Ian-[EMAIL PROTECTED]-To 
  assume makes an ass out of YOU. Leave ME out of this. 
  
  -Original 
  Message-From: John 
  Cesta - Lists [mailto:[EMAIL PROTECTED]] Sent: September 28, 2001 13:40 
  PMTo: NT System Admin 
  IssuesSubject: RE: Files 
  keep disappearing from the winnt dir
   
  
   
  
   
  
  I 
  just ran an AV on the server. No virus.
  
   
  
  John
  
-Original 
Message-From: John 
Cesta - Lists [mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 
1:12 PMTo: NT System 
Admin IssuesSubject: 
RE: Files keep disappearing from the winnt 
dir

 

AT 
service isn't running. No hands ever touch that server, it's in a locked 
cabinet only accessible by me, my access code, palm print and 
badge..

 

John

  -Original 
  Message-From: 
  Brian Steele [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 27, 
  2001 12:44 PMTo: NT 
  System Admin IssuesSubject: Re: Files keep 
  disappearing from the winnt dir
  
  WAG: Is 
  the Task Scheduler running?  Check to see if anyone's set 
  anything nasty to run.
  
   
  
  Brian
  
   
  

- 
Original Message - 

From: 
John 
Cesta - Lists 

To: 
NT System Admin 
Issues 

Sent: 
Friday, September 28, 2001 11:07 
AM

Subject: 
Files keep disappearing from the winnt 
dir

 

 

I am having 
a sort of weird problem on one of my NT4.0 SP6a servers. A while 
back I had to clean the server - chkdsk - seemed to work 
ok.

 

After that 
this problem keeps occurring. One day I noticed that the files - 
not any directories just files -  in the c:\winnt 
directory were gone except for two of them. I copied the files from 
another identical NT box in to this server's winnt directory. A day 
or so later they were gone again. I copied them into the dir again, 
a day later they are gone. I KNOW that the server does not have any 
viruses. I can only figure that the server may have a corrupt file 
system and needs to be cleaned once more. 


 

Any 
suggestions?

 

John 
Cesta
  Want to 
  unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? 
  Try this one 
  first:http://www.ultratech-llc.com/KB/
Want to 
unsub? Do that 
here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? 
Try this one 
first:http://www.ultratech-llc.com/KB/
  Want to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one 
  first:http://www.ultratech-llc.com/KB/Want 
  to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one first:http://www.ultratech-llc.com/KB/Want to 
unsub? Do that here:http://

RE: Network printing

[RZorz]

Title: RE: Network printing





I've only got 50 users, so I did it the old fashioned way by visiting each desktop.  I avoided scripts as much as possible. 

-Original Message-
From: Langevin, Rene [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 27, 2001 1:54 PM
To: NT System Admin Issues
Subject: Network printing



Hi all,


    I got a bunch of printers (HP LaserJet 5SI, HP 4000TN, HP 4, Lex
Optra S, Lex Optra T and Lex Optra E) and they are networked.  My print
server is a NT 4.0 Sp6a and my workstation are W98, WinNT WS 4 Sp6a and
Win2k Pro Sp2.


    I would like to know what do you do to assign a printer to a user?


    Do you map it in the login script depending if they are member of a
group, or you let the user map the printer?


    Because for now, with POLEDIT, my users aren't able to map their
printer, I must do it.


    Since I have printers with or without duplex unit, mailbox,
stampler, etc... I don't know how I can manager to dynamically assign a
printer to a user (or computer)


René


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: ArcServeIT vs. Backup Exec

[RZorz]

Title: RE: ArcServeIT vs. Backup Exec





Don't forget to check out UltraBac too.  


-Original Message-
From: Stephen Moreau [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 27, 2001 12:02 PM
To: NT System Admin Issues
Subject: Re: ArcServeIT vs. Backup Exec



Dan,


I have no experience with Veritas but I'm thinking of switching to it.


I've been using Arcservit for some time and I have to agree that their
support really *stinks*. I'm currently using Arcserveit 2000 and was
having a ton of trouble with it.  I finally spent 2 hours on the phone
being bumped around until someone with a *little* knowledge showed up.


Basically, if you install Arcservit 2000 make darn sure you install the
latest and greatest patches starting with SP2.


Some of my experiences were:


1. Full backups not happening and the temp directory becoming full.
2. Could not read the status or details of a tape without first using the
inventory feature.
3. Very slow to back up Snap Servers.
4. Database getting corrupt.


Since I applied SP2 and all the latest patches everything seems to be fine
with the exception of one continuous problem:


If I make a modification to a backup schedule then SAVE it then use the
little -x- in the top right corner to close it the program freezes and I
have to use task manager to kill it.  I refuse to call their tech
supportless group anymore.




Good luck!


Stephen


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Workstation Naming Standards

[RZorz]

Title: RE: Workstation Naming Standards





I use the user name, but I've got a small 50 person installation. I change the name if the person changes.  It simplifies figuring out who's having a problem, because I know everyone. Tougher in a large organization. 

I sure as heck wouldn't agonize over it. You want to be able to browse a list to pinpoint who's having a problem. And if necessary tie that back to some inventory/allocation information.  Serial Number would probably work if you have a good inventory system.   

-Original Message-
From: David James [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 27, 2001 10:11 AM
To: NT System Admin Issues
Subject: RE: Workstation Naming Standards



I don't use user names.  What happens when that employee quits?
You have to rename their machine as part of setting up a new user?
I would use City_Dept_JobFunction then add a number for multiple job
functions.
DJ


-Original Message-
From: Osama S. [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 27, 2001 12:05 PM
To: NT System Admin Issues
Subject: Workstation Naming Standards



hi,


we will be deploying Win2K from scratch on the user's machines (around
700) replacing NT 4. SO I was reviewing our machine naming convention.


Our Offices are located in two cities, one single domain.
So far we would use something like "CityName-Department-User Real Name" 
(where city name and department are abbrevations) to name workstations. 


Usually the NT Names are the users Company ID, which is unique.


I was wondering how you guys/girls are naming your workstations and users.


regards


Uso


Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Testing 1, 2, 3 - Ignore

[RZorz]

Title: RE: Testing 1, 2, 3 - Ignore





Exactly my goal in life. Make more money and hire you guys to make it work 


-Original Message-
From: Dave Gushi [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 5:56 PM
To: NT System Admin Issues
Subject: RE: Testing 1, 2, 3 - Ignore



This is very funny stuff. It seams the more money some managers make the
less they know.  I have a VP that thinks the closer he is to the server the
better data response he's going to get. 


Dave Gushi



God Bless America!





-Original Message-
From: Bill Higgins [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, September 26, 2001 7:50 PM
To: NT System Admin Issues
Subject: RE: Testing 1, 2, 3 - Ignore


almost as bad as a mangaler (manager) that I had that constantly told people
that we had an AtherNet (can you say "ethernet") network running Novel
(as in book) Server.


I didn't have the heart to tell him that we were actually broken ring...



Two more sleeps til Vegas (1)


(1) Hi William


-Original Message-
From: Clark, Steve [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 17:45
To: NT System Admin Issues
Subject: RE: Testing 1, 2, 3 - Ignore



Did you hear the wind?


I had a "tech" manager years ago that referred to all networks as LAND's and
portables as Labtops. Thought the joke would transfer.


Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
"Who's watching your network?"
www.clarksupport.com
    301-610-9584 voice
    240-465-0323 Efax


-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 8:43 PM
To: NT System Admin Issues
Subject: RE: Testing 1, 2, 3 - Ignore


No, but he may be trying to setup that LAN


-Original Message-
From: Clark, Steve [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 5:41 PM
To: NT System Admin Issues
Subject: RE: Testing 1, 2, 3 - Ignore



Uh huh, trying to set up that LAND aren't you?


Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
"Who's watching your network?"
www.clarksupport.com
    301-610-9584 voice
    240-465-0323 Efax


-Original Message-
From: Sean Martin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 8:38 PM
To: NT System Admin Issues
Subject: Testing 1, 2, 3 - Ignore



Regards,


Sean Martin, MCSE
Network Administrator
Ribelin Lowell & Company
Insurance Brokers, Inc.
3111 C Street, Suite 300
Anchorage, Alaska 99503
Ph: (907) 561-1250
Fax: (907) 561-4315
Cell: (907) 229-0885
Email: [EMAIL PROTECTED]

DO NOT read, copy or disseminate this communication unless you are the
intended addressee. This e-mail communication contains confidential
and/or privileged information intended only for the addressee. If you
have received this communication in error, please call us immediately at
(907) 561-1250 and ask to speak to the sender of the communication.
Also, please e-mail the sender and notify the sender immediately that
you have received the communication in error.


Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/


Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Another F(*&^ virus!

[RZorz]

Title: Another F(*&^ virus!



thanks. Still don't see a virus-specific newsletter with alerts like 
other vendors seem to have.  And they were way, way behind in getting the 
Nimda and Vote defs out the door. 

  -Original Message-From: Lagerstrom, Lanette 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
  4:44 PMTo: NT System Admin IssuesSubject: RE: Another 
  F(*&^ virus!
  
  Just FYI --
  * VIRUS CENTER
  Panda Software and the Windows 2000 Magazine Network have 
  teamed to 
  bring you the Center for Virus Control. Visit the site often 
  to remain 
  informed about the latest threats to your system 
  security.
  http://www.secadministrator.com/panda
  Lanette 
  Lagerstrom
  Northrop 
  Grumman
  Information 
  Technology
  Internal Information 
  Services
  Network 
  Administrator
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 
2001 6:51 AMTo: NT System Admin IssuesSubject: RE: 
Another F(*&^ virus!
Actually one of my users sent that to me. I use Panda, which of 
course once again seems to be the last to know.

  -Original Message-From: Danny Iaconetti 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, 
  September 24, 2001 4:03 PMTo: NT System Admin 
  IssuesSubject: RE: Another F(*&^ 
virus!
  According to SARC, updating your definitions will detect this worm. 
  Although, the latest update I get is dated Sep. 20. What's the 
  scoop?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 
24, 2001 4:37 PMTo: NT System Admin IssuesSubject: 
Another F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Symantec Security Response http://securityresponse.symantec.com 
  W32.Vote.A@mm Discovered on: September 
24, 2001 Last Updated on: September 24, 2001 at 
09:56:27 AM PDT 
W32.Vote.A@mm is a mass-mailing worm that is written in 
Visual Basic. When executed, it will email itself out to all email 
addresses in the Microsoft Outlook address book. The worm will insert 
two .vbs files on the system, and it will also attempt to delete files 
from several antivirus products. 
Type: Worm 
Infection Length: 55,808 Bytes 
Virus Definitions: September 24, 2001 
Threat Assessment: 
   Wild: 
Low  Damage: High  Distribution: High  
  
Wild: 
Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical 
distribution: Medium Threat containment: 
Moderate Removal: Moderate Damage: 
Payload: Large scale e-mailing: 
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all 
files in the Windows folder Modifies files: All 
files with the extension "htm" or "html" will be overwritten. 
Compromises security settings: If the 
Backdoor.Trojan was successfully downloaded and installed, anyone could 
gain full access to the computer. 
Distribution: 
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Technical description: 
W32.Vote.A@mm is a mass-mailing worm written in the 
Visual Basic language. It requires the file Msvbvm50.dll to 
execute.
When executed, the worm will attempt to email itself to 
all contacts in the Microsoft Outlook address book. The email will 
appear as follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! 

Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! 
Attachment: WTC.EXE 
Next, the worm will insert two .vbs files on the 
system: 
\\ZaCker.vbs \\MixDaLaL.vbs 
In addition, the worm will attempt to download and 
execute a file. This file is detected as Backdoor.Trojan by Norton 
Antivirus.
Finally, the worm will attempt to delete all files from 
several folders. These folders appear to be the default installation 
folders for several antivirus products. For Norton AntiVirus, this worm 
will only attempt to delete the files if Norton Antivirus is located in 
C:\Program Files\Norton AntiVirus.
What the dropped files do 
MixDaLaL.vbs MixDaLaL.vbs is a 
Visual Basic Script file that is inserted in the \Windows\System folder. 
This file is executed by the worm. As the file is executed, it will look 
through all folders on all fixed drives and network drives for files 
with the extensions .htm or .html. If such a files are found, they are 
overwritten with the 

RE: Backup Slow

[RZorz]

Title: Backup Slow



I do, 
but I have time, and I'm not 24/7. 

  -Original Message-From: Keith Johnson 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
  12:06 PMTo: NT System Admin IssuesSubject: RE: Backup 
  Slow
  Should we not verify???
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 
26, 2001 12:04 PMTo: NT System Admin IssuesSubject: 
RE: Backup Slow
Read the logs and compare it to an old log.  


  -Original Message-From: William Smith 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
  8:26 AMTo: NT System Admin IssuesSubject: RE: Backup 
  Slow
  Check under the job--> Advanced 
  tab
   
  Make sure "Verify after backup completes" isn't 
  checked. That would definitely double the time.
   
  W
  -Original Message-From: Dominick Romano 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 
  2001 11:32 AMTo: NT System Admin IssuesSubject: 
  Backup Slow
  Hello, we backup our servers with a Dell DLT 
  7000 7 Slot Tape Drive, using Veritas Backup Exec. Ver. 8. For some 
  strange reason it is taking double the amount of time to backup than it 
  used to. Does anyone have any ideas? Thanks.
  Dominick 
  Romano Junior NT 
  Administrator Kravet 
  Fabrics, Inc. Tel:  516-293-2000 Ext: 637 Fax: 516-293-2158  
  Want to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one first:http://www.ultratech-llc.com/KB/Want to unsub? Do 
  that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good 
  FAQ? Try this one 
first:http://www.ultratech-llc.com/KB/Want to unsub? Do 
that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? 
Try this one first:http://www.ultratech-llc.com/KB/Want 
  to unsub? Do that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a 
  good FAQ? Try this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Create a Registry File

[RZorz]

Title: RE: Create a Registry File





http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20047 may help


-Original Message-
From: Khurram Chaudhary [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 2:07 PM
To: NT System Admin Issues
Subject: Create a Registry File



Does anyone know how to create a registry file that will modify certain
keys and values?


Khurram Chaudhary
Astley-Gilbert Reproductions
[EMAIL PROTECTED]


Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: satellite connection

[RZorz]

Oops. 
Not Verizon, I was thinking of Sprint. 

  -Original Message-From: Ray Zorz Sent: 
  Wednesday, September 26, 2001 11:36 AMTo: NT System Admin 
  IssuesSubject: RE: satellite connection
  Here's some info, albeit dated: http://www.e-businessworld.com/english/crd_satellite_454142.html   
  I thought Verizon had something too. 
  
-Original Message-From: Joe L. Casale 
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
11:20 AMTo: NT System Admin IssuesSubject: RE: 
satellite connection

msn has one, but they 
make you buy it through radio shack, and right now, only w/ a new 
Compaq.
Jlc
 
Ps. There is a service in NYC as my friend has one, he states 
it gives about 6mb down! But only 33.6 kb up.
 
-Original 
Message-From: Matt 
Moore [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 
11:41 AMTo: NT System 
Admin IssuesSubject: 
satellite connection
 

anyone have any exp with 
satellite internet conn.  I keep hearing MS has a service but haven't 
been able to find any info.

Matt MooreMCSE, MCP+I, NCSS, 
HP
Want to unsub? Do that 
here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
this one 
first:http://www.ultratech-llc.com/KB/Want 
to unsub? Do that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed 
a good FAQ? Try this one 
  first:http://www.ultratech-llc.com/KB/Want to unsub? Do 
  that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? 
  Try this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: satellite connection

[RZorz]

Here's 
some info, albeit dated: http://www.e-businessworld.com/english/crd_satellite_454142.html   
I thought Verizon had something too. 

  -Original Message-From: Joe L. Casale 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 11:20 
  AMTo: NT System Admin IssuesSubject: RE: satellite 
  connection
  
  msn has one, but they 
  make you buy it through radio shack, and right now, only w/ a new 
  Compaq.
  Jlc
   
  Ps. There is a service in NYC as my friend has one, he states 
  it gives about 6mb down! But only 33.6 kb up.
   
  -Original 
  Message-From: Matt Moore 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 11:41 
  AMTo: NT System Admin 
  IssuesSubject: satellite 
  connection
   
  
  anyone have any exp with satellite 
  internet conn.  I keep hearing MS has a service but haven't been able to 
  find any info.
  
  Matt MooreMCSE, MCP+I, NCSS, 
  HP
  Want to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one 
  first:http://www.ultratech-llc.com/KB/Want 
  to unsub? Do that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a 
  good FAQ? Try this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Backup Slow

[RZorz]

Title: Backup Slow



Read 
the logs and compare it to an old log.  

  -Original Message-From: William Smith 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 8:26 
  AMTo: NT System Admin IssuesSubject: RE: Backup 
  Slow
  Check under the job--> Advanced 
  tab
   
  Make 
  sure "Verify after backup completes" isn't checked. That would definitely 
  double the time.
   
  W
  -Original Message-From: Dominick Romano 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
  11:32 AMTo: NT System Admin IssuesSubject: Backup 
  Slow
  Hello, we backup our servers with a Dell DLT 7000 7 
  Slot Tape Drive, using Veritas Backup Exec. Ver. 8. For some strange reason it 
  is taking double the amount of time to backup than it used to. Does anyone 
  have any ideas? Thanks.
  Dominick 
  Romano Junior NT 
  Administrator Kravet 
  Fabrics, Inc. Tel:  
  516-293-2000 Ext: 637 Fax: 
  516-293-2158  
  Want to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one first:http://www.ultratech-llc.com/KB/Want to unsub? Do that 
  here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
  this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Win2k Cluster and Mac Shares

[RZorz]

Title: RE: Win2k Cluster and Mac Shares





http://www.thursby.com/products/dave.html


-Original Message-
From: Matt Moore [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 8:36 AM
To: NT System Admin Issues
Subject: Re: Win2k Cluster and Mac Shares



can't remember the mfg. but there is a software named "dave" that allows
macs to browse nt domains like a pc, sort of.  it's worked good for me. no
special mac crap on the network. just on the local mac.
Matt Moore
MCSE, MCP+I, NCSS, HP
- Original Message -
From: "Joseph" <[EMAIL PROTECTED]>
Newsgroups: ntsysadmin
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 7:49 AM
Subject: Win2k Cluster and Mac Shares



> Any one know if mac shares will work within the cluster?  When you create
> them at the share management level you have the option for the macintosh
> name, but when you add a file share resource to the cluster you do not get
> this.
>
> Haven't tested it yet.  Was hoping to get some feedback first.
>
> Thanks
>
>
>
> Want to unsub? Do that here:
> http://www.w2knews.com/rd/rd.cfm?id=unsub
> Need a good FAQ? Try this one first:
> http://www.ultratech-llc.com/KB/
>
>


Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/



Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Monitoring email

[RZorz]

There's tools like ISSCAN that will help find e-mails, but there's no 
content filtering in Exchange. 

  -Original Message-From: Neil Harvey 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
  7:13 AMTo: NT System Admin IssuesSubject: Monitoring 
  email
  Does anyone know if exchange 5.5 sp4 has the 
  ability to scan and monitor emails for certain content.  If I can help it 
  I don't want to have to buy a third party product.
   
  Neil HarveyMCP, MCP+I, MCSE, CNAIT 
  Manageremw lawDDI: +44 (0)1604 666425Want to unsub? 
  Do that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? 
  Try this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: OT: MS Project 98

[RZorz]

http://www.mvps.org/project/faqs.htm  - 16. Project 
Viewer
Microsoft has not 
provided a viewer for Project. However, it is designed with the Web in mind, 
which allows anyone with an Internet Browser or email facilities to view 
details. For a picture, try clicking the copy picture button (little camera on 
the standard toolbar). There you have the option of creating a GIF file which 
can be used with the Save As... HTML format or directly attached to an 
email.    Save As HTML... > give a file name and Save > 
select an Export Map (or New Map) > Edit > Options tab check "Include 
image file in HTML page" > insert path and name of GIF image.  
[Project 2000 has Project 
Central which can display project information including graphical 
pages.]

  -Original Message-From: Sawatzke, Jeff 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 
  2001 11:10 AMTo: NT System Admin IssuesSubject: RE: OT: 
  MS Project 98
  They 
  could publish them as HTML files.
  
-Original Message-From: Robert Toland 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 2001 9:15 
AMTo: NT System Admin IssuesSubject: Re: OT: MS 
Project 98No, but if you come across one I'd be 
interested. 
"Jolley Lee @Consult" wrote: 
Dear All, 
  Sorry for the off topic question but I have hit a dead end. 
  Our users are receiving MS Project 98 files from clients but we use a 
  different package for project management. Does anybody know of a 
  viewer for MS project files? 
  Thankyou 
  Lee Jolley 
  ** 
  This email transmission is confidential and intended for the 
  addressee only. It may contain privileged and confidential 
  information. If you are not the person or organisation to whom it 
  is addressed, you must not copy, distribute, or take any action in 
  reliance upon it. If you have received this message in error, please 
  notify the [EMAIL PROTECTED] and return it. 
  Carillion PLC Registered in England No. 3782379 Registered Office: 
  Birch Street Wolverhampton WV1 4HY 
  ** 

  _ 
  This message has been checked for all known viruses by Star Internet 
  delivered through the MessageLabs Virus Scanning Service. For further 
  information visit http://www.star.net.uk/stats.asp 
  or alternatively call Star Internet for details on the Virus Scanning 
  Service. 
  Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=englishWant 
to unsub? Do that 
here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=englishWant 
  to unsub? Do that 
  here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: Another F(*&^ virus! (OT)

[RZorz]

Title: RE: Another F(*&^ virus! (OT)





I finally got it to autoupdate for Exchange. But as I said earlier, I'm still not sure if they have Vote in their defs, their website doesn't get updated quick enough and they don't send alerts. 

-Original Message-
From: Hasan Dervish [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 9:19 AM
To: NT System Admin Issues
Subject: Re: Another F(*&^ virus! (OT)



I use panda on BackOffice and BackOffice SBS
the only problem I have seen its inability to fully autoupdate in sbs, and
autoupdate exchange server in BackOffice.
- Original Message -
From: "Miranda, Fausto" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 2:57 PM
Subject: RE: Another F(*&^ virus! (OT)



> dump it, I have never seen it work correctly.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 25, 2001 9:21 AM
> To: NT System Admin Issues
> Subject: RE: Another F(*&^ virus! (OT)
>
>
>
> A little off the topic here, but how do you find Panda?  We use Norton AV
> for desktop and server protection, but have Panda for Lotus Notes
> protection (I think it's a good idea to have a double layer sometimes).
> Panda was suggested by our Notes Admin guy, and it has not worked
correctly
> since!  Currently it is only running on one of our 4 Notes servers, and I
> don't think it is doing too well there!  I'm about ready to dump it, and
> have put Norton on the other Notes servers to make sure they are covered.
> Anyone else out there use Panda, and would actually recommend it?
>
> G.
>
>
>
>
> RZorz@ScottsdaleC
>
> hamber.com  To: "NT System Admin
Issues"
>
>
> <[EMAIL PROTECTED]>
> 25/09/2001 13:51    cc:
>
> Please respond to   Subject: RE: Another F(*&^
> virus!
> "NT System Admin
>
> Issues"
>
>
>
>
>
>
>
>
>
> Actually one of my users sent that to me. I use Panda, which of course
once
> again seems to be the last to know.
>  -Original Message-
>  From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
>  Sent: Monday, September 24, 2001 4:03 PM
>  To: NT System Admin Issues
>  Subject: RE: Another F(*&^ virus!
>
>  According to SARC, updating your definitions will detect this worm.
>  Although, the latest update I get is dated Sep. 20. What's the scoop?
>   -Original Message-
>   From: [EMAIL PROTECTED]
>   [mailto:[EMAIL PROTECTED]]
>   Sent: Monday, September 24, 2001 4:37 PM
>   To: NT System Admin Issues
>   Subject: Another F(*&^ virus!
>
>
>
>
>   Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
>   Name of attachment: WTC.exe
>   Size of attachment: 55808 Bytes
>
>
>   Symantec Security Response
>   http://securityresponse.symantec.com
>
>   W32.Vote.A@mm
>   Discovered on: September 24, 2001
>   Last Updated on: September 24, 2001 at 09:56:27 AM PDT
>
>
>   W32.Vote.A@mm is a mass-mailing worm that is written in Visual
>   Basic. When executed, it will email itself out to all email
>   addresses in the Microsoft Outlook address book. The worm will
>   insert two .vbs files on the system, and it will also attempt to
>   delete files from several antivirus products.
>
>
>   Type: Worm
>
>
>   Infection Length: 55,808 Bytes
>
>
>   Virus Definitions: September 24, 2001
>
>
>   Threat Assessment:
>
>
>
>   Wild:
>   Low  Damage:
>   High  Distribution:
>   High
>
>
>
>   Wild:
>
>
>   Number of infections: 0 - 49
>   Number of sites: 3 - 9
>   Geographical distribution: Medium
>   Threat containment: Moderate
>   Removal: Moderate
>   Damage:
>
>
>   Payload:
>   Large scale e-mailing: Emails everyone in the Microsoft Outlook
>   addressbook
>   Deletes files: After reboot, the worm attempts to delete all
>   files in the Windows folder
>   Modifies files: All files with the extension "htm" or "html"
will
>   be overwritten.
>   Compromises security settings: If the Backdoor.Trojan was
>   successfully downloaded 

RE: Internal training

[RZorz]

Title: RE: Internal training





I agree there. I'm never going to be a MSOffice expert, nor learn all the additional apps.  My job is to make sure when they logon they can do get to their apps. I don't jump in normally unless there's an error. 

-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 7:09 AM
To: NT System Admin Issues
Subject: RE: Internal training



Custom apps are trained by the people who write them.
As for the rest, I leave that up to the group that bought the program.
If it is a financial app, it is up to the finance group to train its
users.


PERSONALLY, I don't really believe it is IT's job to teach people to use
programs. We are here to help with the technical issues, but not
necessarily user training. If a user is stuck on a certain thing, I will
do what I can to help, but I cant learn every program out there just to
hold someone's hand.


-Original Message-
From: John Brozycki [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 25, 2001 6:23 AM
To: NT System Admin Issues
Subject: OT: Internal training



Sorry for the Off-Topic, but I think it has some relevance to what many
of 
us do.


How do you handle internal employee training, especially for custom 
developed apps or non-mainstream software where you can't easily buy a 
book, video, or CBT?


Does anyone develop their own training?  Do you administer it by way of
a 
classroom environment, custom made or purchased Computer Based Training,


combination of the two, or something different?  Is this work done 
internally or contracted out?


If you do develop your own training materials what development tools do
you 
use (ie: a tool like Macromedia Authorware or Visual Basic) and how do
you 
deliver it (ie: CD-ROM, Intranet, classroom.)  Are there any pitfalls 
you've stumbled upon in developing your own training materials (ie:
cost, 
time, continuity between authors?)  Do you include basic Windows
literacy, 
computer security, and/or company policies in this training?


Thanks for any information.


Regards,
John Brozycki


Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text
_mode=0&lang=english



Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english



Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: Get Me Off the List, Please

[RZorz]

Title: RE: Get Me Off the List, Please





tough


-Original Message-
From: Murray Freeman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 8:56 AM
To: NT System Admin Issues
Subject: RE: Get Me Off the List, Please



You're correct sir,...but there is much too much "noise" on this list
nonetheless. I can't tell you how many postings I deleted about the WTC
disaster that had absolutely nothing to do with NTSYSADMIN. It can be very
frustrating but there is good info to be gleaned from this list. I've
contributed and I've been helped, but there's still too much "noise".


Murray


-Original Message-
From: Dewar Charles R [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 10:46 AM
To: NT System Admin Issues
Subject: RE: Get Me Off the List, Please



Name one.


-Original Message-
From: Andrew Blevins [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 9:52 AM
To: NT System Admin Issues
Subject: RE: Get Me Off the List, Please



Looks like those of us who want off the list will have to set up an
auto-delete rule. This list is so full of noise, its not worth it. There are
much more professional, and useful, lists out there.






-Original Message-
From: Darril Gibson [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 5:28 PM
To: NT System Admin Issues
Subject: RE: Get Me Off the List, Please



Me too.  It was advertised as a no noise list.  Not so.  In just a couple of
hours, I have over 100 emails.  I tried to get off, but the scripts on the
web page don't allow it.


Darril R. Gibson ([EMAIL PROTECTED])
Director of Continuing Education
MCT, MCSE, MCDBA, MCSD
America's Computer Training Source
340-, Cell 328-9299



-Original Message-
From: Lucia, Steve [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 5:23 PM
To: NT System Admin Issues
Subject: RE: Get Me Off the List, Please



Just for your info the script is not working!!!



I too would like off this list 


Steve J. Lucia ([EMAIL PROTECTED])
Sr. Network Specialist
Client Server Group FFIOC
707-436-2840 co# 227-2840
pager 707-427-9176



-Original Message-
From: Don Ely [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 12:32 PM
To: NT System Admin Issues
Subject: RE: Get Me Off the List, Please



Get yourself off the list.  The link is at the bottom of the email.


-Original Message-
From: Maas [mailto:[EMAIL PROTECTED]] 
Sent: Monday, September 24, 2001 12:18 PM
To: NT System Admin Issues
Cc: [EMAIL PROTECTED]
Subject: Get Me Off the List, Please



[EMAIL PROTECTED]


please remove the address above from the list server


thank you...in over my head here 


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm




http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mod
e=0&lang=english


Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mod
e=0&lang=english


Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english



Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: Another F(*&^ virus! (OT)

[RZorz]

Title: RE: Another F(*&^ virus! (OT)



Again, 
not  a problem here. They all logout, and they all shutdown.  If they 
don't for some reason, it shows up on the Panda Administrator screen, and I log 
them off myself.  Hasn't been that big a problem here, but I've only got 50 
users. 

  -Original Message-From: Randal, Phil 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 
  2001 7:45 AMTo: NT System Admin IssuesSubject: RE: 
  Another F(*&^ virus! (OT)
  Sorry to be pedantic, but a login script is a pull, not a push, and if 
  your users habitually
  don't log out the login script ain't going to get run in a 
  hurry.
   
  Phil
  -Phil 
  RandalNetwork EngineerHerefordshire CouncilHereford, UK 

  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: 25 September 2001 
15:01To: NT System Admin IssuesSubject: RE: Another 
F(*&^ virus! (OT)
I haven't worked with any of the other packages, so I can't 
compare.  It seems to do ok, although they don't have any "ALERT" 
system, and always seem to be the last to get a definition out. I still 
don't know if they have the Vote virus covered.
They automatically create a logon script to push the defs to 
the desktop, so as long as you make sure the server gets updated before 
everyone logs on it works fine.  Our work hours make this a 
non-issue.  Remote users have a problem with the speed. 
I do know that I gave up on active desktop scanning.  
It slowed my workstations down too much.  I've been lucky that my folks 
get a lot of e-mail, but aren't big on downloading files.   So I'm 
scanning Exchange and Outlook.  Personally, I think way too many of the 
virii are being caught at the desktop rather than the Exchange server.  
They also have no filtering/blocking.
As soon as I can free up some money I'll most likely dump 
the Panda for Exchange and get Sybari. Want to unsub? 
  Do that 
  here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: Another F(*&^ virus! (OT)

[RZorz]

Title: RE: Another F(*&^ virus! (OT)





I haven't worked with any of the other packages, so I can't compare.  It seems to do ok, although they don't have any "ALERT" system, and always seem to be the last to get a definition out. I still don't know if they have the Vote virus covered.

They automatically create a logon script to push the defs to the desktop, so as long as you make sure the server gets updated before everyone logs on it works fine.  Our work hours make this a non-issue.  Remote users have a problem with the speed. 

I do know that I gave up on active desktop scanning.  It slowed my workstations down too much.  I've been lucky that my folks get a lot of e-mail, but aren't big on downloading files.   So I'm scanning Exchange and Outlook.  Personally, I think way too many of the virii are being caught at the desktop rather than the Exchange server.  They also have no filtering/blocking.

As soon as I can free up some money I'll most likely dump the Panda for Exchange and get Sybari.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 6:21 AM
To: NT System Admin Issues
Subject: RE: Another F(*&^ virus! (OT)




A little off the topic here, but how do you find Panda?  We use Norton AV
for desktop and server protection, but have Panda for Lotus Notes
protection (I think it's a good idea to have a double layer sometimes).
Panda was suggested by our Notes Admin guy, and it has not worked correctly
since!  Currently it is only running on one of our 4 Notes servers, and I
don't think it is doing too well there!  I'm about ready to dump it, and
have put Norton on the other Notes servers to make sure they are covered.
Anyone else out there use Panda, and would actually recommend it?


G.



    
    RZorz@ScottsdaleC   
    hamber.com  To: "NT System Admin Issues"    
 <[EMAIL PROTECTED]>    
    25/09/2001 13:51    cc: 
    Please respond to   Subject: RE: Another F(*&^ virus!   
    "NT System Admin    
    Issues" 
    
    





Actually one of my users sent that to me. I use Panda, which of course once
again seems to be the last to know.
 -Original Message-
 From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
 Sent: Monday, September 24, 2001 4:03 PM
 To: NT System Admin Issues
 Subject: RE: Another F(*&^ virus!


 According to SARC, updating your definitions will detect this worm.
 Although, the latest update I get is dated Sep. 20. What's the scoop?
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]
  Sent: Monday, September 24, 2001 4:37 PM
  To: NT System Admin Issues
  Subject: Another F(*&^ virus!





  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes



  Symantec Security Response
  http://securityresponse.symantec.com


  W32.Vote.A@mm
  Discovered on: September 24, 2001
  Last Updated on: September 24, 2001 at 09:56:27 AM PDT



  W32.Vote.A@mm is a mass-mailing worm that is written in Visual
  Basic. When executed, it will email itself out to all email
  addresses in the Microsoft Outlook address book. The worm will
  insert two .vbs files on the system, and it will also attempt to
  delete files from several antivirus products.



  Type: Worm



  Infection Length: 55,808 Bytes



  Virus Definitions: September 24, 2001



  Threat Assessment:




  Wild:
  Low  Damage:
  High  Distribution:
  High




  Wild:



  Number of infections: 0 - 49
  Number of sites: 3 - 9
  Geographical distribution: Medium
  Threat containment: Moderate
  Removal: Moderate
  Damage:



  Payload:
  Large scale e-mailing: Emails everyone in the Microsoft Outlook
  addressbook
  D

RE: Exchange Store.exe using 95% of CPU

[RZorz]

Title: Exchange Store.exe using 95% of CPU



A - 
Try the Sunbelt Exchange list.  
B - 
What SP of exchange?
C - 
Are you running exchange maintenance nightly?  Try turning it off 
tonite.

  -Original Message-From: Trixie Favato 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 
  25, 2001 6:54 AMTo: NT System Admin IssuesSubject: 
  Exchange Store.exe using 95% of CPU
  Has anyone experienced high CPU utilization from 
  the Store.exe when using Exchange 5.5. I've installed the recommended hotfix 
  that Microsoft put out, ran the optimizer again, re-installed SP6a, but 
  nothing seems to help it. Every morning, I am having to reboot the server 
  because the IS stops responding. If anyone has dealt with this before, please 
  share your resolution. 
  Thanks, 
  Trixie Favato Sr. Systems Administrator The Woodbridge Group - Information 
  Technology 4240 Sherwoodtowne 
  Blvd. Mississauga, Ontario 
  Tel. 905.896.3882 Fax. 905-848-1794 Want to unsub? 
  Do that 
  here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: Another F(*&^ virus!

[RZorz]

Title: Another F(*&^ virus!



Actually one of my users sent that to me. I use Panda, which of course 
once again seems to be the last to know.

  -Original Message-From: Danny Iaconetti 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 
  24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: 
  Another F(*&^ virus!
  According to SARC, updating your definitions will detect this worm. 
  Although, the latest update I get is dated Sep. 20. What's the 
  scoop?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 
2001 4:37 PMTo: NT System Admin IssuesSubject: Another 
F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Symantec Security Response http://securityresponse.symantec.com 
  W32.Vote.A@mm 
Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT 
W32.Vote.A@mm is a mass-mailing worm that is written in 
Visual Basic. When executed, it will email itself out to all email addresses 
in the Microsoft Outlook address book. The worm will insert two .vbs files 
on the system, and it will also attempt to delete files from several 
antivirus products. 
Type: Worm 
Infection Length: 55,808 Bytes 
Virus Definitions: September 24, 2001 
Threat Assessment: 
   Wild: Low  Damage: High  Distribution: 
High    

Wild: 
Number of infections: 0 - 49 Number 
of sites: 3 - 9 Geographical distribution: Medium 
Threat containment: Moderate Removal: Moderate Damage: 
Payload: Large scale e-mailing: 
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in 
the Windows folder Modifies files: All files with 
the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was 
successfully downloaded and installed, anyone could gain full access to the 
computer. 
Distribution: 
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Technical description: 
W32.Vote.A@mm is a mass-mailing worm written in the Visual 
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all 
contacts in the Microsoft Outlook address book. The email will appear as 
follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's 
Vote To Live in Peace! 
Attachment: WTC.EXE 
Next, the worm will insert two .vbs files on the 
system: 
\\ZaCker.vbs \\MixDaLaL.vbs 
In addition, the worm will attempt to download and execute a 
file. This file is detected as Backdoor.Trojan by Norton 
Antivirus.
Finally, the worm will attempt to delete all files from 
several folders. These folders appear to be the default installation folders 
for several antivirus products. For Norton AntiVirus, this worm will only 
attempt to delete the files if Norton Antivirus is located in C:\Program 
Files\Norton AntiVirus.
What the dropped files do 
MixDaLaL.vbs MixDaLaL.vbs is a 
Visual Basic Script file that is inserted in the \Windows\System folder. 
This file is executed by the worm. As the file is executed, it will look 
through all folders on all fixed drives and network drives for files with 
the extensions .htm or .html. If such a files are found, they are 
overwritten with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's 
Our Turn >>> ZaCkEr is So Sorry For You 
ZaCker.VBS This file is inserted in 
the \Windows\System folder. It is not executed by the worm. Instead, the 
value 
Norton.Thar \Windows\System\ZaCker.vbs 
is added to the registry key 
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run 
so that the file is executed when you start Windows. 

When executed at the next restart, this file will attempt to 
delete all files in the \Windows folder. Next, the worm will create or 
overwrite the file C:\Autoexec.bat. Inside the file there will be a command 
that formats the C drive. The Autoexec.bat file is executed on Windows 
95/98/Me and DOS systems when you start the computer.
Finally, the worm will displays the message 

The worm does attempt to shut down Windows after the message 
has been displayed. However, because the files required for this event to 
occur have been deleted from the \Windows folder, the computer probably will 
not shut down.
Removal instructions: 
1. Run LiveUpdate to make sure that you have the most recent 
virus definitions. 2. Start Norton AntiVirus (NAV), 
and make sure that NAV is configured to scan all files. For i

RE: Quick Question

[RZorz]

Title: RE: Quick Question





Is this message looping to everyone or is it just my server?


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 1:08 PM
To: NT System Admin Issues
Subject: RE: Quick Question



Nice try, but no cigar!


The following is the page that loads after selecting the 'Leave' button:


SecureIIS application firewall security alert



HTTP Request caused a security alert, please contact our web master if you are getting this alert in error.





Evaluation version of SecureIIS
SecureIIS offers websites running Microsoft Internet Information Server a broad range of protection from common vulnerabilities, both known and unknown. Because SecureIIS does not protect against specific vulnerabilities, but classes of vulnerabilities, it allows for a much more far reaching layer of security. 




To get more information or to download an evaluation copy, please visit us at www.eEye.com


eEye(tm) Digital Security - Vulnerability Is Over...



Nice try!



Garrick



>>> [EMAIL PROTECTED] 24/09/2001 19:57:13 >>>



To unsub, go to 
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0 
and from the web interface you can get yourself off the list. 
-Original Message- 
From: Rudy Lovato [mailto:[EMAIL PROTECTED]] 
Sent: Monday, September 24, 2001 1:32 PM 
To: NT System Admin Issues 
Subject: RE: Quick Question 



How do I unsubscribe from this list 
-Original Message- 
From: David James [mailto:[EMAIL PROTECTED]] 
Sent: Monday, September 24, 2001 11:09 AM 
To: NT System Admin Issues 
Subject: Quick Question 



Hi, 
I changed our firewall IP address on Friday.  It's a Checkpoint Firewall-1. 
Today, everything works great except some of my users like to check hotmail 
email accounts, and we can't get any of the hotmail or passport sites to 
pull up.  Some of my buddies say that their hotmail is working great. Any 
idea why changing my IP would not allow hotmail to work? Thanks in advance. 
  
-- 
David James 
Infrastructure Administrator 
Generation Technologies Corporation 
V:  913-345-1012 x103 
F:  913-345-0156 
  
[EMAIL PROTECTED] 
  
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Another F(*&^ virus!

[RZorz]

Title: Another F(*&^ virus!  






Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe 
Size of attachment: 55808 Bytes 


Symantec Security Response
http://securityresponse.symantec.com 
 
W32.Vote.A@mm
Discovered on: September 24, 2001 
Last Updated on: September 24, 2001 at 09:56:27 AM PDT 


W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. 

Type: Worm 


Infection Length: 55,808 Bytes 


Virus Definitions: September 24, 2001 


Threat Assessment: 


   
Wild: 
Low  Damage: 
High  Distribution: 
High  
 


Wild: 


Number of infections: 0 - 49 
Number of sites: 3 - 9 
Geographical distribution: Medium 
Threat containment: Moderate 
Removal: Moderate 
Damage: 


Payload: 
Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook 
Deletes files: After reboot, the worm attempts to delete all files in the Windows folder 
Modifies files: All files with the extension "htm" or "html" will be overwritten. 
Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. 

Distribution: 


Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe 
Size of attachment: 55808 Bytes 


Technical description: 


W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute.

When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows.

Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!


Message: 
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!


Attachment: WTC.EXE


Next, the worm will insert two .vbs files on the system:



\\ZaCker.vbs
\\MixDaLaL.vbs


In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus.

Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus.

What the dropped files do


MixDaLaL.vbs
MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You


ZaCker.VBS
This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value


Norton.Thar \Windows\System\ZaCker.vbs


is added to the registry key


HKEY_LOCAL_MACHINE\Microsoft\
Windows\CurrentVersion\Run


so that the file is executed when you start Windows.


When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer.

Finally, the worm will displays the message




The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down.


Removal instructions: 



1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

3. Run a full system scan.
4. Delete all files that are detected as W32.Vote.A@mm. If the worm has run and Norton AntiVirus is installed in C:\Program Files\Norton AntiVirus, you should reinstall Norton Antivirus.

5. If the computer has been rebooted after the infection, or if the computer seems very unstable, it is recommended that you reinstall the operating system.



Additional information: 


If the Backdoor.Trojan was successfully installed on the computer, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following:


Stealing or changing passwords or password files
Installing remote-connectivity

RE: Nimda - Thought we were protected

[RZorz]

Title: RE: Nimda - Thought we were protected



You 
can't block attachments natively. You need 3rd party antivirus software. 


  -Original Message-From: Kelly Gosh 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 
  11:07 AMTo: NT System Admin IssuesSubject: RE: Nimda - 
  Thought we were protected
  Where in Exchange 5.5 can you block certain attachments?  
  Ideally, I would like to block all *.exe and all *.vbs from most users.  
  I know how to block domains and email addresses, and I swear I've seen 
  attachment blocking, but for the life of me I can't find it anywhere 
  now!
  Any help would be appreciated. 
  Kelly Gosh Information Systems 
  Manager Brilliance Audio, Inc.   Phone: 616.846.5256 ext. 704 
  Fax: 616.846.0630   
  http://www.brillianceaudio.com 
      
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, September 24, 2001 12:47 PM To: NT System Admin Issues Subject: RE: Nimda - 
  Thought we were protected 
  SCAN ALL FILES  (asp,js,htm,html,shtm,shtml,dll), 
  do  NOT use program files only! 
  Replace riched20.dll and mcc.exe or you be infected again 
  after you reboot! (ofcourse replace them with clean copys!) 
  Kind regards, Pim Vessies 
  CS&O Backoffice Philips Medical 
  Systems IM/CS&O/BO Building QAII-441 
  Veenpluis 4 - 6, 5684 PC Best The 
  Netherlands 
  "Steve Kelsay" <[EMAIL PROTECTED]> on 09/24/2001 
  05:11:25 PM 
  Please respond to "NT System Admin Issues" 
  <[EMAIL PROTECTED]> 
  To: "NT System Admin Issues" 
  <[EMAIL PROTECTED]> cc:  (bcc: Pim 
  Vessies/BST/MS/PHILIPS) Subject:  RE: Nimda - 
  Thought we were protected Classification: 
  
  Yes, I had installed all the patches we discussed here on the 
  site. 
  Steve Kelsay Network Administration 
  Group South Carolina Department of Revenue 
  301 Gervais Street Columbia, SC 
  29201 
  (803) 898-5522 
  >>> [EMAIL PROTECTED] 09/24/01 10:59AM 
  >>> Did you have the IE patch applied?  
  If the browsed to a infected site they can get the 
  virus that way as well. Robert Muncy Sherman Financial Group 
  -Original Message- From: Steve 
  Kelsay [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 10:35 AM To: 
  NT System Admin Issues Subject: Nimda - Thought we 
  were protected 
  First alert, Maybe nothing. 
  We just had our developer machines, running NT2000 Server hit 
  with Nimda. 
  The strange thing is, we have Nimda protection in our email 
  scanner, and all the security fixes MS said should be 
  applied. SP2 is installed. 
  The machines boot up, a log in screen displays, and they 
  login. The Novell login script begins to run as normal 
  ( we run mixed network, NT and Novell), then the login 
  script box clears as normal, a blue screen appears as normal, and nothing further happens. 
  Could this be a new strain? 
  Steve Kelsay Network Administration 
  Group South Carolina Department of Revenue 
  301 Gervais Street Columbia, SC 
  29201 
  (803) 898-5522 
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: NT Admin Jobs in Canada / USA ?

[RZorz]

Title: Message



Probably not the best time to be coming to the U.S. with all the layoffs 
happening.  At least in Arizona, most of the jobs posted seem to be for 
Unix, Peoplesoft, SAP or Oracle folks.   Very few NT Admins are 
posted, definitely more Cisco than NT. 

  -Original Message-From: Stuart Tonge 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 
  2001 4:34 AMTo: NT System Admin IssuesSubject: NT Admin 
  Jobs in Canada / USA ? 
  Hi, 
  this may be a little off topic.. but it is the NT list so here 
  goes..
   
  Could someone from the US and Canada email me 
  (personally so as not to cause listt raffic)
  and 
  let me know what kind of IT people the US (specifically what parts) and Canada 
  (toronto area) are short on?
   
  NT 
  Admins?
  Cisco people?
   
  I'm 
  looking to emigrate next year from the UK.
   
  Any 
  help would be gratefully received.
   
  Thanks,
   
   
  Stu.
   
  [EMAIL PROTECTED]
   **Website 
  - 
  WWW.COOP.CO.UKThis 
  document should only be read by those persons to whom it is addressed and is 
  not intended to be relied upon by any person without subsequent written 
  confirmation of its contents. Accordingly, United Co-op disclaims all 
  responsibility and accept no liability (including in negligence) for the 
  consequences for any person acting, or refraining from acting, on such 
  information prior to the receipt by those persons of subsequent written 
  confirmation.If you have received this E-mail message in error, please 
  notify us immediately by telephone. Please also destroy and delete the message 
  from your computer.Any form of reproduction, dissemination, copying, 
  disclosure, modification, distribution and/or publication of this E-mail 
  message is strictly 
  prohibited.**http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: How do you all do it?

[RZorz]

Title: RE: How do you all do it?





This list didn't help me with Nimda as much as it did with ILOVEYOU.  Fellow listers from all over the world started crashing, and I was able to handle it here with a brilliant low-tech solution - I printed a big warning out and put it on everyone's desktop.  With only 50 users that was feasible, and because I'm in at least 2 hours earlier than anyone else.  But this list saved the day! 

-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 3:29 PM
To: NT System Admin Issues
Subject: RE: How do you all do it?



I was going to say that.
There are some MAJOR advantages to being on these lists.
As an example, many of us knew about Nimda hours before anyone else did.
Granted we didn't have technical details or a name, but we knew there
was something bad happening and to start battening down the hatches. You
cant put a price on info like that.
I guarantee you, you sub to these lists, your knowledge will grow
exponentially, and you will look like a hero to your boss when you know
the S*&T is about to hit the fan well before anyone else does.


-Original Message-
From: Diane Beckham [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 20, 2001 3:26 PM
To: NT System Admin Issues
Subject: RE: How do you all do it?



Hey, this IS work.  Knowing about a virus BEFORE users tell us, is major
work


Diane


-Original Message-
From: Don Collier (Intermap Denver) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 3:03 PM
To: NT System Admin Issues
Subject: How do you all do it?



I just joined this list today and am overwhelmed with email.  Almost 200
messages today.  How do you all keep up with this list and get any work
done?  (Not meant to imply anything)


 
_
Don Collier
Network Administrator
Intermap Technologies Inc.
Voice:  303-708-0955 x-207
Fax:    303-708-0952
[EMAIL PROTECTED] 
www.intermaptechnologies.com


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Microsoft Has Nimda

[RZorz]

Title: RE: Microsoft Has Nimda





I think all John was trying to point out is that of all companies, MS should be more on top of all this crap than anyone, since all too often we're having to connect to them to get patches/fixes/etc to fix vulnerabilities in their products. 

Weren't the MS sites we were connecting to get the Code Red security patches infected themselves?  Wasn't there a problem with the Microsoft/Frontpage site caused by Nimda? 

That's some serious negligence on Microsoft's part.  


-Original Message-
From: Dillon, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:29 PM
To: NT System Admin Issues
Subject: RE: Microsoft Has Nimda



Operant Conditioning 101: behavior is controlled by its consequences, but
most IT depts are skilled at dodging those consequences (which reinforces
THAT behavior), so nothing changes/improves.  The problem that management
has is determining whether any given admin "crime" is worthy of the death
sentence, since a firing impacts morale and often requires a new (expensive)
hire.  I see two places where improvement could be made:  1)upgrade the
multitude of admins (not fast or easy or cheap), or 2)upgrade the product's
ability to keep ITSELF patched (which is Microsoft's baby).  There seems to
be a certain efficiency in #2.


-Original Message-
From: John Hornbuckle [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 4:10 PM
To: NT System Admin Issues
Subject: RE: Microsoft Has Nimda



Some mistakes are worse than others. The worse the mistake, the harsher
the punishment.


Sometimes people need to be fired.




John Hornbuckle
Network Manager
Taylor County School District
318 North Clark Street
Perry, FL 32347 




-Original Message-
From: Mal Sasalu [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 20, 2001 3:54 PM
To: NT System Admin Issues
Subject: RE: Microsoft Has Nimda





If firing someone or cutting off somebody's head for any mistake was an
answer, you'd have heard bombs by now!



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: WORST EVER VIRUS (CNN announced)

[RZorz]

Title: RE: WORST EVER VIRUS (CNN announced)





Hoax.  see www.sophos.com.  Of course, if I was going to create a virus, first thing I'd do is name it after one of the hoaxes. 

-Original Message-
From: Sabrina Stolcz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:18 PM
To: NT System Admin Issues
Subject: WORST EVER VIRUS (CNN announced)




WORST EVER VIRUS (CNN announced) 
> > >> PLEASE SEND THIS TO EVERYONE ON YOUR CONTACT LIST!! 
> > >> A new virus has just been discovered that has been classified by 
> > Microsoft 
> > >> as the most destructive ever! 
> > >> This virus was discovered yesterday afternoon by McAfee and no
> vaccine 
> > has 
> > >> yet been developed. This virus simply destroys Sector Zero from the
> > hard 
> > >> disk, where vital information for its Functioning are stored.  This 
> > virus 
> > >> acts in the following manner: 
> > >> It sends itself automatically to all contacts on your list with the 
> > title 
> > >> "A Virtual  Card for You."  As soon as the supposed virtual card is 
> > opened, 
> > >> the computer freezes so that the user has to reboot. When the 
> > ctrl+alt+del 
> > >> keys or the reset button are pressed, the virus destroys Sector 
> > Zero,thus 
> > >> permanently destroying the hard disk. 
> > >> Yesterday in just a few hours this virus caused panic in New York, 
> > >> according to news broadcast by CNN. This alert was received by an 
> > employee 
> > >> of Microsoft itself. So don't open any mails with subject: 
> > >> "A Virtual Card for You." As soon as you get the mail, delete it.










This email with all information contained herein or attached hereto may
contain confidential and/or privileged information intended for the
addressee(s) only.  If you have received this email in error, please contact
the sender and immediately delete this email in its entirety and any
attachments thereto..




http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: .BHF

[RZorz]

Title: RE: .BHF





from symantec.com


System Modifications


When executed the worm determines from where it is being executed. The worm
then overwrites MMC.EXE in the Windows Directory or creates a copy of itself
in the Windows Temporary Directory.


The worm then infects commonly used executables listed in the registry keys:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders


The worm hooks the system by modifying the system.ini file as follows:


Shell = explorer.exe load.exe -dontrunold


It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows
.DLL used by applications such as Microsoft Word. By replacing this DLL, the
worm is executed each time applications such as Microsoft Word are executed.


The worm copies itself as the file:


%Windows\System%\load.exe


NOTE: %Windows\System% is a variable. The worm locates the \Windows\System
folder (by default this is C:\Windows\System) and copies itself to that
location


The worm then attempts to modify files with the extension .htm, .html., and
.asp or filenames matching default, index, main and readme on the local
system that are shared with other network computers. .EXE files are infected
and .EML and .NWS files are replaced by the virus.


Next, the worm creates open network shares for all drives on the computer by
modifying the registry key:


HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$ -> Z$]


A reboot of the computer is required for these settings to take effect.


The worm searches for all open shares on the network by iterating through
the Network Neighborhood. All files on any open network shares are examined
for possible infection. .EXE files are infected by the worm except
WINZIP32.EXE. .EML and .NWS files are copied to the open network shares and
the worm copies itself over as riched20.dll to any directory with .DOC
files.


During execution, the worm may attempt to delete copies of itself. If the
file is in use or locked, the worm will create WININIT.INI with an entry to
delete itself upon reboot.


The worm contains bugs and can be resource intensive. Thus, not all actions
may occur and system instability may be noticable.



-Original Message-
From: David Coffey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 11:37 AM
To: NT System Admin Issues
Subject: .BHF



Hi everyone,
As most did we too got hit with the NIMDA virus.  Has anyone experienced
problems with Windows Explorer.exe after cleaning up your nt server? 
Also, I'm now getting a message at startup that says: "Windows is
searching for Connect from ouside.BHF. To locate the file yourself, click
Browse."  I can't find any information on this .bhf file and I am
wondering if it's virus related. Lastly when I get the Dr. Watson for
explorer.exe I also lose the Norton icon from the tray?
Thanks,
Dave


http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Help for the Nimda virus

[RZorz]

Title: RE: Help for the Nimda virus



Doh!!!   I so rarely look down there unless someone responds 
"inline".  Sorry

  -Original Message-From: John Cesta - Lists 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 19, 2001 11:09 
  AMTo: NT System Admin IssuesSubject: RE: Help for the 
  Nimda virus
  Yo John - how come all your responses are blank. Or is just 
  me.  
   
  Maybe because I am entering them under the question 
  inline.
   
  John
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 
19, 2001 1:57 PMTo: NT System Admin IssuesSubject: RE: 
Help for the Nimda virus
Yo John - how come all your responses are blank. Or is just 
me.  
 
 
-Original Message- From: 
John Cesta - Lists [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, September 19, 2001 10:18 AM 
To: NT System Admin Issues Subject: 
RE: Help for the Nimda virus 
> -Original Message- > 
From: Jim Busick [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, September 19, 2001 1:03 PM 
> To: NT System Admin Issues > Subject: RE: Help for the Nimda virus > > > Very 
usefull tool. Thanks John. 
You're welcome! 
John 
> > > -Original 
Message- > > From: John Cesta - Lists [mailto:[EMAIL PROTECTED]] 
> > Sent: Wednesday, September 19, 2001 10:02 
AM > > To: NT System Admin Issues 
> > Subject: RE: Help for the Nimda virus 
> > > > 
> > > > 
> > > -Original Message- 
> > > From: Jim Busick [mailto:[EMAIL PROTECTED]] 
> > > Sent: Wednesday, September 19, 2001 12:36 
PM > > > To: NT System Admin Issues 
> > > Subject: RE: Help for the Nimda virus 
> > > > > 
> > > > I find it ironic that I had to 
use Explorer Search to find Searchit. > > 
> > Yes, there is a glitch in the installer 
program we used. It > > works fine on 
> > NT4.0 but on Win2k it appends the setup path to 
the exe's > > install path. It's 
> > fairly easy to set the searchit.exe path to 
> > c:\winnt\system32\searchit.exe 
> > and it will be fine. > 
> We'll get that fixed as soon as we get the fix for the 
installer. > > > 
> John Cesta > > > > > > > -Original Message- > > > > From: Clark, Steve [mailto:[EMAIL PROTECTED]] 
> > > > Sent: Wednesday, September 19, 2001 
9:29 AM > > > > To: NT System Admin 
Issues > > > > Subject: RE: Help for the 
Nimda virus > > > > > > > > > > > > Mod 
the shortcut to point to the windows dir and it works fine. > > > > > > > > Steve 
Clark > > > > Clark Systems Support, 
LLC > > > > AVIEN Charter Member 
> > > > www.clarksupport.com > > > >     
301-610-9584 voice > > > > 
    240-465-0323 Efax 
> > > > > > > 
> -Original Message- > > > > 
From: Jim Busick [mailto:[EMAIL PROTECTED]] 
> > > > Sent: Wednesday, September 19, 2001 
12:26 PM > > > > To: NT System Admin 
Issues > > > > Subject: RE: Help for the 
Nimda virus > > > > > > > > We appreciate the thought, but the tool does not 
install properly. > > > > 
> > > > > -Original Message- 
> > > > > From: John Cesta - Lists [mailto:[EMAIL PROTECTED]] 
> > > > > Sent: Wednesday, September 19, 
2001 8:14 AM > > > > > To: NT System 
Admin Issues > > > > > Subject: RE: 
Help for the Nimda virus > > > > 
> > > > > > > > > > > > > > > 
> > > > > > > -Original 
Message- > > > > > > From: 
Kevin Lundy [mailto:[EMAIL PROTECTED]] 
> > > > > > Sent: Wednesday, September 
19, 2001 10:54 AM > > > > > > To: 
NT System Admin Issues > > > > > > 
Subject: RE: Help for the Nimda virus > > > 
> > > > > > > > > 
> > > > > > It also doesn't work.  I 
downloaded and installed it, and > > > > 
> it didn't even > > > > > > 
create an executable. > > > > 
> > > > > > That's not true 
actually. > > > > > > > > > > 1. It is FREE a production copy. The link is 
right on the > > > > > home page to 
the > > > > > right of the dancing 
tools. > > > > > 2. The search.exe 
file is in the c:\winnt\system32 directory. > 
> > > > > > > > > I 
didn't think it would be difficult to give something > > away. :0 > > > > 
> > > > > > John > > > > > > > > > 
> > > > > > > > > > > > > -Original Message- 
> > > > > > From: Givens, Mike [mailto:[EMAIL PROTECTED]] 
> > > > > > Sent: Wednesday, September 
19, 2001 10:51 AM > > > > > > To: 
NT System Admin Issues > > > > > > 
Subject: RE: Help for the Nimda virus > > > 
> > > > > > > > > 
> > > > > > define "free" the link 
provided only goes to a "trail" > > > > 
> version located in > > > > > 
> the downloads area ? > > > > > 
> > > > > > > -Original 
Message- > > > > > > From: 
John Cesta - Lists [mailto:[EMAIL PROTECTED]] 

RE: Help for the Nimda virus

[RZorz]

Title: RE: Help for the Nimda virus





Yo John - how come all your responses are blank. Or is just me. 


-Original Message-
From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 10:18 AM
To: NT System Admin Issues
Subject: RE: Help for the Nimda virus





> -Original Message-
> From: Jim Busick [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 19, 2001 1:03 PM
> To: NT System Admin Issues
> Subject: RE: Help for the Nimda virus
> 
> 
> Very usefull tool. Thanks John.


You're welcome!


John


> 
> > -Original Message-
> > From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 19, 2001 10:02 AM
> > To: NT System Admin Issues
> > Subject: RE: Help for the Nimda virus
> > 
> > 
> > 
> > 
> > > -Original Message-
> > > From: Jim Busick [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, September 19, 2001 12:36 PM
> > > To: NT System Admin Issues
> > > Subject: RE: Help for the Nimda virus
> > >
> > >
> > > I find it ironic that I had to use Explorer Search to find Searchit.
> > 
> > Yes, there is a glitch in the installer program we used. It 
> > works fine on
> > NT4.0 but on Win2k it appends the setup path to the exe's 
> > install path. It's
> > fairly easy to set the searchit.exe path to 
> > c:\winnt\system32\searchit.exe
> > and it will be fine.
> > We'll get that fixed as soon as we get the fix for the installer.
> > 
> > John Cesta
> > >
> > > > -Original Message-
> > > > From: Clark, Steve [mailto:[EMAIL PROTECTED]]
> > > > Sent: Wednesday, September 19, 2001 9:29 AM
> > > > To: NT System Admin Issues
> > > > Subject: RE: Help for the Nimda virus
> > > >
> > > >
> > > > Mod the shortcut to point to the windows dir and it works fine.
> > > >
> > > > Steve Clark
> > > > Clark Systems Support, LLC
> > > > AVIEN Charter Member
> > > > www.clarksupport.com
> > > >     301-610-9584 voice
> > > >     240-465-0323 Efax
> > > >
> > > > -Original Message-
> > > > From: Jim Busick [mailto:[EMAIL PROTECTED]]
> > > > Sent: Wednesday, September 19, 2001 12:26 PM
> > > > To: NT System Admin Issues
> > > > Subject: RE: Help for the Nimda virus
> > > >
> > > > We appreciate the thought, but the tool does not install properly.
> > > >
> > > > > -Original Message-
> > > > > From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Wednesday, September 19, 2001 8:14 AM
> > > > > To: NT System Admin Issues
> > > > > Subject: RE: Help for the Nimda virus
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > -Original Message-
> > > > > > From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
> > > > > > Sent: Wednesday, September 19, 2001 10:54 AM
> > > > > > To: NT System Admin Issues
> > > > > > Subject: RE: Help for the Nimda virus
> > > > > >
> > > > > >
> > > > > > It also doesn't work.  I downloaded and installed it, and
> > > > > it didn't even
> > > > > > create an executable.
> > > > >
> > > > > That's not true actually.
> > > > >
> > > > > 1. It is FREE a production copy. The link is right on the
> > > > > home page to the
> > > > > right of the dancing tools.
> > > > > 2. The search.exe file is in the c:\winnt\system32 directory.
> > > > >
> > > > > I didn't think it would be difficult to give something 
> > away. :0
> > > > >
> > > > > John
> > > > >
> > > > >
> > > > > >
> > > > > > -Original Message-
> > > > > > From: Givens, Mike [mailto:[EMAIL PROTECTED]]
> > > > > > Sent: Wednesday, September 19, 2001 10:51 AM
> > > > > > To: NT System Admin Issues
> > > > > > Subject: RE: Help for the Nimda virus
> > > > > >
> > > > > >
> > > > > > define "free" the link provided only goes to a "trail"
> > > > > version located in
> > > > > > the downloads area ?
> > > > > >
> > > > > > -Original Message-
> > > > > > From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]
> > > > > > Sent: Wednesday, September 19, 2001 9:50 AM
> > > > > > To: NT System Admin Issues
> > > > > > Subject: Help for the Nimda virus
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Previous email contained an incorrectly formatted URL.
> > > > Try this one.
> > > > > >
> > > > > > If any one is interested: We are giving away FREE our
> > > > > SearchIt program.
> > > > > > SearchIt can search your logfiles, or any files, for text
> > > > > strings you
> > > > > > define. You can search for cmd.exe or tftp or any 
> > other piece of
> > > > > > a virus or
> > > > > > IIS exploit. SearchIt may be run via a scheduler and a
> > > > > report of the found
> > > > > > files is emailed to you.
> > > > > >
> > > > > > The FREE Download is at: http://www.serverautomationtools.com
> > > > > >
> > > > > > John Cesta
> > > > > >
> > > > > >
> > > > > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > > > > >
> > > > > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > > > > >
> > > > > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> > > > > >
> > 

RE: FW: Worm probes

[RZorz]

Title: RE: FW: Worm probes




Name: Nimda 
Alias: W32/Nimda 
Virus Categories: WORM (E-MAIL) 
Virus Families: W32 GROUP 
Repairable: Yes 
Date of Appearance: 09/18/2001 
Included in the "Wild List": No 
Activation Condition 
Basic Information: W32/Nimda is a worm that spreads by e-mail and exploits a 
vulnerability in Windows98 and Windows2000 that makes it possible to run 
Audio/X-wav files through Windows Explorer. To ensure its propagation, this worm 
sends out a message that includes an attachment with the following name: 
README.EXE. This file pretends to be an Audio/Xwav file coded in Base64 format. 
After being decoded, the executable file that contains the worm is 57344 bytes 
long. 
One of the actions carried out by this worm consists of sharing the drive C: 
of the affected computer in order to spread to other network drives.

Means of Propagation This worm uses e-mail to spread to other systems. To do 
this it sends out messages containing an attachment with the following name: 
README.EXE. 

Symptoms of Infection This worm creates several files in the Windows 
temporary directory. Although the content of these files is basically very 
similar to the original file, it does present certain variations. Additionally, 
it creates a file called Wininit.ini in the Windows directory.
The worm is coded to download a file called Admin.dll. To do this it uses an 
application called Tftp.exe. Finally, the worm creates a new user through which 
it shares the C drive and attempts to spread to other network drives. 
Additionally, it exploits a vulnerability in Windows98 and Windows2000 that 
makes it possible to run Audio/X-wav files through Windows 
Explorer.

  -Original Message-From: Ray Zorz Sent: 
  Tuesday, September 18, 2001 12:58 PMTo: NT System Admin 
  IssuesSubject: RE: FW: Worm probes
  reg 
  hack to not execute perhaps? 
  
-Original Message-From: John Cesta - Lists 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57 
PMTo: NT System Admin IssuesSubject: RE: FW: Worm 
probes
 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 
  18, 2001 3:26 PMTo: NT System Admin IssuesSubject: 
  RE: FW: Worm probes
  From Panda (note they won't have a sig file for a few 
  hours yet): Panda Software alerts users on the 
  appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, 
  which spreads through the e-mail and is automatically executed simply by 
  previewing the message that contains it. 
  To perform the infection it exploits a vulnerability 
  discovered by the security expert Juan Carlos García Cuartango in Internet 
  Explorer 5 browser, as well as Outlook and Outlook Express mail clients. 
  This flaw allows for the automatic and immediate execution of files. This 
  means no action, such as double-clicking the attached file, is necessary 
  for the virus to be activated. However, it requires that the 'preview' 
  option is enabled in the mail clients for the vulnerability to be 
  exploited and README.EXE, the virus filename, to be executed. 
   
  I am not so sure that this assessment is entirely 
  correct. For example, in my situation, I have a PC with Outlook 2000 
  and preview mode enabled. What I get is that when I click on the email a 
  dialog box opens and prompts whether or not I wish to save the file 
  to disk - the README.EXE file that is.I just click cancel and then delete 
  the email. I do not contract the virus. 
   
  John  
  Due to this threat, Panda Software recommends to follow up 
  the news appearing in the specialised media. It also warns against opening 
  the mail client before the anti-virus is updated with the corresponding 
  pav.sig, which will be made available to all users by the European 
  multinational in the next few hours, together with the additional info 
  about the virus.
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 18, 2001 12:21 PM 
  To: NT System Admin Issues Subject: Fw: FW: Worm probes 
  Here's one from a thread on nanog 
  HTH, 
  Geoff 
  - Original Message - From: 
  "Jim Olsen" <[EMAIL PROTECTED]> To: 
  <[EMAIL PROTECTED]> Sent: Tuesday, September 
  18, 2001 11:03 AM Subject: Re: FW: Worm 
  probes 
  > > This is the information 
  i've collected thus far on W32.nimda: > 
  > W32.nimda is NOT a code red variant, and the people 
  who referring to it as > "Code Blue" were 
  mistaken... > > The 
  name it has been given (at least by TruSecure) is W32.nimda.a.mm. 
  It uses > several 
  vulnerabilities in Windows NT and 2000 server's to infect a 
  server, > and also employ's 
  email and web site mobile code to infect Wind

RE: FW: Worm probes

[RZorz]

Title: RE: FW: Worm probes



reg 
hack to not execute perhaps? 

  -Original Message-From: John Cesta - Lists 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57 
  PMTo: NT System Admin IssuesSubject: RE: FW: Worm 
  probes
   
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 
2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW: 
Worm probes
From Panda (note they won't have a sig file for a few hours 
yet): Panda Software alerts users on the appearance 
of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads 
through the e-mail and is automatically executed simply by previewing the 
message that contains it. 
To perform the infection it exploits a vulnerability 
discovered by the security expert Juan Carlos García Cuartango in Internet 
Explorer 5 browser, as well as Outlook and Outlook Express mail clients. 
This flaw allows for the automatic and immediate execution of files. This 
means no action, such as double-clicking the attached file, is necessary for 
the virus to be activated. However, it requires that the 'preview' option is 
enabled in the mail clients for the vulnerability to be exploited and 
README.EXE, the virus filename, to be executed. 
 
I am not so sure that this assessment is entirely 
correct. For example, in my situation, I have a PC with Outlook 2000 
and preview mode enabled. What I get is that when I click on the email a 
dialog box opens and prompts whether or not I wish to save the file to 
disk - the README.EXE file that is.I just click cancel and then delete the 
email. I do not contract the virus. 
 
John  
Due to this threat, Panda Software recommends to follow up 
the news appearing in the specialised media. It also warns against opening 
the mail client before the anti-virus is updated with the corresponding 
pav.sig, which will be made available to all users by the European 
multinational in the next few hours, together with the additional info about 
the virus.
-Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: 
Worm probes 
Here's one from a thread on nanog 
HTH, 
Geoff 
- Original Message - From: 
"Jim Olsen" <[EMAIL PROTECTED]> To: 
<[EMAIL PROTECTED]> Sent: Tuesday, September 18, 
2001 11:03 AM Subject: Re: FW: Worm probes 

> > This is the information 
i've collected thus far on W32.nimda: > 
> W32.nimda is NOT a code red variant, and the people 
who referring to it as > "Code Blue" were 
mistaken... > > The 
name it has been given (at least by TruSecure) is W32.nimda.a.mm. It 
uses > several vulnerabilities 
in Windows NT and 2000 server's to infect a server, > and also employ's email and web 
site mobile code to infect Windows > 9x/ME/NT/2k 
boxes. > > During the 
initial infection of a server, the worm does the following: > - download a 
file named "admin.dll" via tftp from the system that is > trying to infect the target 
> - add 
the guest account to the local administrators group and > activates the account > - makes sure c$ 
is shared out > - copies itself 
to c, d, and e drives > - tries to mail 
itself to email addresses that it discovers on the > server > - creates a file 
named readme.exe, which is used in the mobile code > inserted on the web sites 
below > - add this 
string to the web pages found on the server: > 
window.open("readme.eml", 
null, 
> 
"resizable=no,top=6000,left=6000") 
> - 
scans for and infects other vulnerable IIS servers > - goes through 
all shared directories and puts sample.nws, > 
sample.eml, desktop.eml, desktop.nws in each directory. these are eml 
> messages with copies of itself (readme.exe) autoloaded 
by the mobile html > code mentioned above. 
> - goes 
through all shared directories and puts riched20.dll in each > directory, which is a trogan dll 
version of W32.nimda that is meant to > infect 
people running notepad/wordpad in that directory. > - puts a trojan 
mmc.exe in the winnt directory that is a copy of > itself in the above "readme.exe" format (win2000 only) 
> > If a user views a web 
site that is hosted on an infected server, the > 
following happens: > - upon viewing 
an infected page, the mobile code extracts to > 
readme.exe and starts in windows media player (without user 
intervention) > - the user's 
machine becomes infected with W32.nimda at this point > and time > - the worm 
starts scanning for othe