mega_stream

Damn

I've just found some .eml files in various directorys on an unpatched IIS5 intranet web server we have...I've patched it now, I have no admin.dll file though, just these eml files all of which arrived at 17:05 last night

Can anyone tell me how to clean these off?
I can't see anything on the Microsoft site..

Thanks

ChrisB

Our IIS logs show that 14:11 yesterday was the start of the scans on our web servers.

ChrisB.

kryten

I started getting them at 13:15 yesterday. Since then have had over 1500 infection attempts!! Fortunately _my own_ servers are secure

Best thing to do is go to the URL Jack posted as it has really good info. Top marks to McAfee for being the first out with DAT files and then following it quickly with some extra bits to aid Cleaning.

SARC also has information.

The virus infects the web servers Via TFTP which is why people are recommending to close that port. However, that only gets rid of one infection method.

On a single laptop, I have 1216 infected files and under 25% of them have been cleaned automatically. Anything reported as 'W32/Nimda.htm (ED)' has Clean failed as the status

Puff, best thing is to go through the instructions, deploy the virus scanners on ALL machines etc etc (feel free to call me if you want some advice).

I'd also recommend a book called 'Securing Windows NT/2000 Servers for the internet'. ISBN1565927680

You may not be able to do everything in it, but it will help you plug _most_ of the holes in the OS/IIS - certainly you would have deleted the \inetpub\scripts directory which is one of the main forms of infection - its so re-assuring to be handing out 404s for each infection attempt!

Has anyone tried the new MS tool that filters out 'wierd' URLs before they hit IIS?

This one is going to take a while to sort out.

philc

we got hit by NIMDA at 14:50 NZ local time on Wednesday - it appears to be only polluting the servers at the moment with files with an eml extension.

there is a patch on SARC but it's manual

.... back to the coalface

regards

JackClark

We - McAfee - have released a tool to help clean workstations affected by this piece of Malware.

Here's what it can do for you:-

1) On WinNT/2K it kills the MMC.EXE task
On Win9x/ME it kills the LOAD.EXE task
(note: other valid processes may also use these names)
2) Scans the specified directory and all subdirectories for infected files
3) Repairs all W32/Nimda@MM files found
4) Removes all hidden open shares
5) Removes registry keys created by the worm:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Network\LanMan\C-Z$"
6) Removes the GUEST user account from the ADMINISTRATORS group in WinNT/2K
7) Removes the "LOAD.EXE -dontrunold" command from the SYSTEM.INI files under Win9x/ME

It's available to all from here

Puff The Magic Wagon!

iTrader: (2)

Jack

Your ftp servers a bit busy this AM? Your site is well slow

I'm not helping

JackClark

Our HTTP servers have much more bandwidth than the FTP's, even they're struggling. 75 million registered customers all trying to update I guess. You could try ftpeur.nai.com not as many people know about that one.

I remember running the Dr Solomon BBS before this internet thingie, only had one modem

kryten

Seems to be subsiding a little.

Todays infection attempts are down to 400 (since midnight) as people finally get round to patching servers.

I'd advise anyone responsible for servers (plus anyone else who can make the time!) to get on the MS Security bulleting email list and download a tool called HFNetChk that tells you which patches you are missing!!

Take a look at the MS Security site

JackClark

The code contained the word 'Concept' as did the first Macro Virus to hit the public. That had no payload just a statement "That's enough to prove my point" won't be long before some ****** adds to this code.

Puff The Magic Wagon!

iTrader: (2)

Martin

Thanks for your help yesterday

Have finally managed to get a clean CD to run from with all the patches & updates & Dats etc. Download speed today was a little problematical Remember 28k modems??? Only way ( I could see ) to get downloads onto a clean PC & onto a burner. That together with all the hits on Jack's servers meant download speed of sub 1k sec-1

Biggest prob was Novell that whilst relatively unaffected as an OS get bunging out system messages as the virus replicated throughout this caused the most grief Sent admin & sales home, closed down non-essentials/internet etc & hoped.

Have started isolating & cleaning individual PCs (now have a staff member assigned to me - result ) & will re-assemble the network on Monday - when I officially return to work Until then, we can deal with our core business but the outside world (& emails & additional functionality) will remain separate. Staff member is doing great job bearing in mind ability/experience but at least I've got one now.

2 days holiday in lieu...

BryanC

It's important to note that this isn't *just* a virus, but a worm too - not only can you can it from email - but it tries to spread it's way round a network through IIS servers.

My company have recently set up a net traffic analyser and from analysing the logs on that you can see it uses *16* different exploits in an effort to zap IIS and make it do it's dirty work.... The CodeRed exploits are just one of the methods it uses....

May I recommend any techny net admin type people take a trip to

mutant_matt

Hi Bry,

I posted a warning to pelple in General this morning and now I see you in this thread...

So, you're obeying the "Just for Business Use" message from James then...

Matt

JackClark

Fast Bloke, I used to work for a Windscreen repair firm, every night I'd stand on a street corner throwing stones, much more money in 'puters.

kryten

Puff, no problem! Don't forget to order that book...

As for the people may patch their systems thing, I still get between 10 and 20 Code Red infection attempts per day: not everyone bothers!

The AV companies really seem to have responded well to this - I assume it was an all hands to the pumps job like for the rest of us (free pizza at midnight!). DATs were out within about 10 hours of first discoveries, which is excellent.

I reckon it won't take more than a week for Nimda2 to come out, with someone attaching a 'nasty' to the infection code.

fast bloke

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by ChrisB:
<B> In a strange way that <I>might</I> be kind of good. If it screwed up many of the un-patched IIS boxes out there, people might read up and install them properly next time.

[/quote]

Could this be a a conspiracy by NAV and co-horts to make sure we all buy their products. After all - who in the world would be best placed to understand viruses and replication methods, then produce a fix within 12 hours. I think we should be told

ChrisB

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>The only good thing is that _this_ one was relatively benign in that it doesn't carry a nasty payload - imagine the consequences if it had started deleting files after 24 hours.....<HR></BLOCKQUOTE>

In a strange way that <I>might</I> be kind of good. If it screwed up many of the un-patched IIS boxes out there, people might read up and install them properly next time.

Jack, I notice the 4162 DATs are out now. Your guys at AVERT must be earning their keep with a DAT release almost every night.

Puff, if you want an alternate download site let me know.

ChrisB.

JackClark

Yup, those guys work their **** off when something like this comes out. The amount of testing that has to be done for each release is a sight to see. All done right here in good old Aylesbury.

fast bloke

LOL@Jack