RE: HELP VIRUS ON NT MACHINE?
I might be confused... Why do you need to remove the hard drive? -Original Message- From: Matthew Western [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 10:37 PM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? hehehe she knows how to fix it tho.. that's what we're doing sucessfully here. put it in another machine clean about 2000 files off the hard drive and put it back in... working on workstations. -Original Message- From: Greg Page [mailto:[EMAIL PROTECTED]] Sent: Thursday, 20 September 2001 10:22 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? You're not in IT? Are you a lurker? Greg -Original Message- From: PITNEY,LDENISE (A-Sonoma,ex1) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 6:44 PM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? Our local IT department has actually had to remove the disk from it's current machine and mount it in another machine as a secondary -- then clean it and return it to it's original home. Denise -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
For those of you that were unfortunately hit with the latest worm. There is usually no recourse but to wipe the machine clean and reload your software. Trend Antivirus has released a cleaner for the virus. Here is the info. Trend Micro has developed a cleaning tool that will allow you to clean systems infected by PE_NIMDA.A. The cleaning tool and instructions, manual cleaning instructions, and the latest pattern file can be found on our FTP site at: ftp://us-web\[EMAIL PROTECTED] Password: tmcustomer Directory: Premium Customer\tool Files: Cleaning tool: FIX_NIMDA.zip Cleaning tool description and instructions: Readme_nimda.txt Manual cleaning documentation: How to Clean.txt Latest pattern file: ptn_942.zip -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: September 19, 2001 5:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
HEY, not true, not true. We got hit on 3 servers and were able to cleanse manually and never even turned off the servers, nor did it impact our regular production. Murray -Original Message- From: Rocky Stefano [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 9:21 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? For those of you that were unfortunately hit with the latest worm. There is usually no recourse but to wipe the machine clean and reload your software. Trend Antivirus has released a cleaner for the virus. Here is the info. Trend Micro has developed a cleaning tool that will allow you to clean systems infected by PE_NIMDA.A. The cleaning tool and instructions, manual cleaning instructions, and the latest pattern file can be found on our FTP site at: ftp://us-web\[EMAIL PROTECTED] Password: tmcustomer Directory: Premium Customer\tool Files: Cleaning tool: FIX_NIMDA.zip Cleaning tool description and instructions: Readme_nimda.txt Manual cleaning documentation: How to Clean.txt Latest pattern file: ptn_942.zip -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: September 19, 2001 5:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
Hmmm. We have not had to take such drastic action(s) here at all - 'course, let's see what the new day brings. :-) Wendell -Original Message- From: Rocky Stefano [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 7:21 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? For those of you that were unfortunately hit with the latest worm. There is usually no recourse but to wipe the machine clean and reload your software. Trend Antivirus has released a cleaner for the virus. Here is the info. Trend Micro has developed a cleaning tool that will allow you to clean systems infected by PE_NIMDA.A. The cleaning tool and instructions, manual cleaning instructions, and the latest pattern file can be found on our FTP site at: ftp://us-web\[EMAIL PROTECTED] Password: tmcustomer Directory: Premium Customer\tool Files: Cleaning tool: FIX_NIMDA.zip Cleaning tool description and instructions: Readme_nimda.txt Manual cleaning documentation: How to Clean.txt Latest pattern file: ptn_942.zip -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: September 19, 2001 5:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
They could not get into the disk at all. After pressing ctl-alt-del the machine just would hang and the processor was near 100%. There was no other way to scan the disk. Denise -Original Message- From: Bartolini [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 3:51 PM To: NT System Admin Issues Subject: Re: HELP VIRUS ON NT MACHINE? why? - Original Message - From: PITNEY,LDENISE (A-Sonoma,ex1) [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Wednesday, September 19, 2001 6:43 PM Subject: RE: HELP VIRUS ON NT MACHINE? Our local IT department has actually had to remove the disk from it's current machine and mount it in another machine as a secondary -- then clean it and return it to it's original home. Denise -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: HELP VIRUS ON NT MACHINE?
The simple presence of .eml/.nws files, or copies of readme.exe, does not in and of itself indicate an infected machine. If the files are put there because of an infected client through a file share, they may not have been run on the server yet. 100% of the clients I have seen, 25+, that have .eml files are infected and many without the .eml files are also infected. Just what I have seen, Mike - Original Message - From: [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Thursday, September 20, 2001 9:11 AM Subject: RE: HELP VIRUS ON NT MACHINE? The following is from Russ Cooper off NTBugtraq - sent last night. -BEGIN PGP SIGNED MESSAGE- Its been an exhaustive couple of days, for you all I'm sure. The Problem - --- I've just gotten off the phone with numerous experts from the major companies (including AV experts and CARO members) in an effort to answer the question; Is it possible to trust a cleansed server? See, due to the things Nimda does, it may well leave your machine open to easy access. Even if the virus/worm components have been removed/cleansed, if another attack occurs that exploits the open shares (for example) who knows what the attack might do or leave behind. The effects of such an attack are not going to be obvious to an AV product. Basically, cleansers available now do not address some of the more insidious components of Nimda; - - Guest account being enabled. In the case of an infected Domain Controller, this means the account is enabled in the Domain. - - Guest account being added to the Administrators group. Again, on DCs the Guest user is added to the Domain Admins group. - - Modification to registry keys. Some reports say that values under LanManServer\Parameters are deleted, in an effort to remove any AutoShareServer value that might prevent the availability of C$, etc...), while other reports talk only of the creation of new shares (C$, D$, etc...) under that key. - - Numerous critical system files are modified, including files in the dllcache directory, and its questionable whether or not these can be restored to good health by an untested cleanser (the suggestion that SSL functionality might not work after cleansing.) Then there is the question as to whether or not all of the effects of Nimda have actually been determined. With its buggy operation, its possible it might do other things inconsistently, in a way that might leave cleansers lacking. Testing we performed today suggested that cleansers that were available all did a reasonable job of disinfecting an infected file, but the testing was limited to that since cleansing infected systems would require an extremely wide variety of installations. Additional Threats - -- With the open shares available, it would be possible for an attacker to gain entry to your system and retrieve or deposit other tools or data (like copying your SAM). These effects will be undetectable as part of AV Nimda cleansing, and could only be uncovered as a result of an extensive forensic effort. You should seriously consider the possibility that this has already happened to machines which might hold sensitive information if you have left them connected, or reconnect prior to a comprehensive cleansing and inspection. Decision Time - - The bottom line folks is that as of the time of writing, you have to make a decision; a) I need the system up and running now! Fine, disconnect it from infection vectors, restore it from tape or reformat and install fresh, patch it. Restore the data (even if its infected), run the currently available cleanser, and scan it again with your AV product. If it passes, reconnect it to the 'net and carry on. b) I can leave the machine turned off until Friday. Better, wait for a comprehensive cleanser from your AV Vendor (assuming they make one.) McAfee may already have one available and Symantec will have one shortly. Other AV Vendors may/will probably also produce one. The complexity of this thing has been such that multiple versions of cleansers have been required in order to do it right. The same may be true of these additional cleansers. The Problem with Rebooting - -- We noticed in our testing one cleanser that only worked if the machine was rebooted. Problem is that with a fully infected system, a reboot is not likely to bring up a live system. Depending on which files have been infected, a system might fail a reboot completely, partially, or succeed completely. Its probably safe to assume that rebooting an infected server is going to lead to a complete system failure and cause to re-install the OS. Without rebooting it may not be possible to cleanse all of the files that might cause re-infection. McAfee's recommendation is to stop IIS and all running applications and install patches, many of those patches require a reboot
RE: HELP VIRUS ON NT MACHINE?
A true idiot -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: September 20, 2001 10:58 PM To: NT System Admin Issues Subject: Re: HELP VIRUS ON NT MACHINE? Yeah I cleaned my server up to. I used a redcodecleanup program and then used norton to do the rest. It runs fine now. THis dam virus even edits all the html pages in your webserver. WHo made this stupid thing? - Original Message - From: Murray Freeman [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Thursday, September 20, 2001 10:23 AM Subject: RE: HELP VIRUS ON NT MACHINE? HEY, not true, not true. We got hit on 3 servers and were able to cleanse manually and never even turned off the servers, nor did it impact our regular production. Murray -Original Message- From: Rocky Stefano [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 9:21 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? For those of you that were unfortunately hit with the latest worm. There is usually no recourse but to wipe the machine clean and reload your software. Trend Antivirus has released a cleaner for the virus. Here is the info. Trend Micro has developed a cleaning tool that will allow you to clean systems infected by PE_NIMDA.A. The cleaning tool and instructions, manual cleaning instructions, and the latest pattern file can be found on our FTP site at: ftp://us-web\[EMAIL PROTECTED] Password: tmcustomer Directory: Premium Customer\tool Files: Cleaning tool: FIX_NIMDA.zip Cleaning tool description and instructions: Readme_nimda.txt Manual cleaning documentation: How to Clean.txt Latest pattern file: ptn_942.zip -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: September 19, 2001 5:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: HELP VIRUS ON NT MACHINE?
Read the emails from yesterday. This was a well documented and discussed problem. Also, applying the patches Microsoft made available quite some time ago will help as well. Maybe even check out the house call tool that Trendmicro has. K.Borndale [EMAIL PROTECTED] -home email - Original Message - From: Tiffany Belcher To: NT System Admin Issues Sent: Wednesday, September 19, 2001 5:34 PM Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over theplace in the folders on the hard drive. Is there a way to get rid if thisvirus? What is it? Uninstalling outlook express or email would that do it?It ran very sluggish and now is frozen up. HELPhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
Since morining everybody are unanimous in saying to sweep clean the hard disk and reinstall. Which I am doing right now on one of the machines. -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 3:35 PM To: NT System Admin Issues Subject:HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
Our local IT department has actually had to remove the disk from it's current machine and mount it in another machine as a secondary -- then clean it and return it to it's original home. Denise -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: HELP VIRUS ON NT MACHINE?
I applied the code red patch and did the cleanup and now its runs fine. It left a bunch of crap in the winnt\temp folder but I deleted that to. - Original Message - From: Mal Sasalu [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Wednesday, September 19, 2001 6:08 PM Subject: RE: HELP VIRUS ON NT MACHINE? Since morining everybody are unanimous in saying to sweep clean the hard disk and reinstall. Which I am doing right now on one of the machines. -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 3:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: HELP VIRUS ON NT MACHINE?
Also now i try to update to explorer 6 and it tells me an installation has not completed reboot but even after rebooting its says it again. CRUD - Original Message - From: Mal Sasalu [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Wednesday, September 19, 2001 6:08 PM Subject: RE: HELP VIRUS ON NT MACHINE? Since morining everybody are unanimous in saying to sweep clean the hard disk and reinstall. Which I am doing right now on one of the machines. -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 3:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
You're not in IT? Are you a lurker? Greg -Original Message- From: PITNEY,LDENISE (A-Sonoma,ex1) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 6:44 PM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? Our local IT department has actually had to remove the disk from it's current machine and mount it in another machine as a secondary -- then clean it and return it to it's original home. Denise -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
hehehe she knows how to fix it tho.. that's what we're doing sucessfully here. put it in another machine clean about 2000 files off the hard drive and put it back in... working on workstations. -Original Message- From: Greg Page [mailto:[EMAIL PROTECTED]] Sent: Thursday, 20 September 2001 10:22 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? You're not in IT? Are you a lurker? Greg -Original Message- From: PITNEY,LDENISE (A-Sonoma,ex1) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 6:44 PM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? Our local IT department has actually had to remove the disk from it's current machine and mount it in another machine as a secondary -- then clean it and return it to it's original home. Denise -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: HELP VIRUS ON NT MACHINE?
Okay so I got the patch and cleaned up the server. It left about 7000 files on it. I searched un 9/19/2001 and found them and deleted them all. so the question is DO I WIPE IT AND REINSTALL? It works. THe websites work fine. THe only problem so far is when I try to update to explore 6 it says that a previous update didnt finish. THere is so much on this server that it would be a pain to reinstall it again. Advice? http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
my advice is to see if the hard drives are going flat out and if not then it's not go it in memory... when you say patch you mean the microsoft patch or what? there is a nimda virus scanner which goes like a bought one from www.antivirusexpert.com that we're running in favour of symantec for the time being cos it's so damn fast get that and run it on your server as well -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Thursday, 20 September 2001 1:06 PM To: NT System Admin Issues Subject: Re: HELP VIRUS ON NT MACHINE? Okay so I got the patch and cleaned up the server. It left about 7000 files on it. I searched un 9/19/2001 and found them and deleted them all. so the question is DO I WIPE IT AND REINSTALL? It works. THe websites work fine. THe only problem so far is when I try to update to explore 6 it says that a previous update didnt finish. THere is so much on this server that it would be a pain to reinstall it again. Advice? http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HELP VIRUS ON NT MACHINE?
further info i've just tried the trend micro scanner and it doesn't seem as fast and is command line based... both seem to work. -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Thursday, 20 September 2001 1:06 PM To: NT System Admin Issues Subject: Re: HELP VIRUS ON NT MACHINE? Okay so I got the patch and cleaned up the server. It left about 7000 files on it. I searched un 9/19/2001 and found them and deleted them all. so the question is DO I WIPE IT AND REINSTALL? It works. THe websites work fine. THe only problem so far is when I try to update to explore 6 it says that a previous update didnt finish. THere is so much on this server that it would be a pain to reinstall it again. Advice? http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
