Virus keeps coming back

[stevenriz]

We are running Exchange server 5.5 on WinNT 4.0SP6a, with webaccess and IIS 4.0. Once we got the Nimda virus, I updated all clients Win2kPro with the latest McAfee SDAT as well as the latest hotfixes on WinNT 4.0 Server told to me by the hfnetchk utility from the MS site. It STILL gives me three warnings for IIS. Q155197, Q242294 and Q296441!!! I tried to install them but they won't take! I also updated McAfee Netshield with the latest SDAT. Once we got the virus, I shut down IIS until I could get all the clients completely updated. Once I did after about a week or so, I felt it was ok to turn IIS/Webaccess back on. Well after a single night, I come in and the NT server with Exchange on it had the virus again. eml, nws and riched??.dll files everywhere. I restarted the server and stopped webaccess and IIS. Any clue what to do now?? Netware?? I am a CNE for that matter and walked into this job with an open mind. Thanks!
steve

 

[clik]

Are you hosting your own website?
and have you upgraded everyone to IE 6.0?
Also have you check for Code Red and Blue.
Do you have a firewall or proxy server running?

 

[andnelso]

I have had the same problem......I pulled the hard drive from any previously infected machine and ran the norton util to remove the nimbda virus from a clean system. This worked for me. The utils don't seem to fix any infected systems files that may be in use from the OS. I will warn you that on one Cpu that was supposedly fixed before, when I used this barbaric technique it had to repair so many system files that it destroyed the os........but this is also why I think this is the only way to actually get rid of the virus. Hope this helps.
Andrew Nelson
MIS

 

[stevenriz]

Thanks, I would love to yank the hard drive and scan it that way but it is close to impossible because it is the primary server. As long as webaccess and IIS are down, we are ok. The virus remains extinct. Yes this machine did have a web enabled piece of software on it called Trackgear for problem tracking and reporting. Unfortunately now it is not portable to another webserver, it will only run on IIS. Maybe I will consider upgrading to IIS 5.0.

 

[Storty]

I think you need to lock down the OWA machine, disable NetBIOS either at the firewall or External NIC. Make sure you download all the latest security fixes, set RestrictAnonymous=2 on the LSA key in the registry and so on..

Sounds like your box is too open and needs locking right down.

 

[stevenriz]

yes you are correct there. Some of the hotfixes just won't apply. They say they apply when I apply them but when I run another hfnetscan thing it continualy returns warnings that a few still weren't applied. I hate it I tell ya. We don't have a firewall per say but NAT is active in the router.

 

[Xybertron]

To stop Nimda you only need these...

Server

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Clients

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Dan
Microsoft Exchange Support @ Microsoft

 

[stevenriz]

Yes I applied the IIS patch Q301625i.exe and Q301625is.exe. Netsheild is loaded with the latest SDAT files. This is what will happen. I will start up IIS and webaccess. Give it say... 1 day and the server will start going nuts copying those .eml .nws and riched20.dll files all over the place and infecting any html and exe files. I might have another hole somewhere, I just don't know where. Maybe I should reapply SP6, the the rollup, the hotfixes and this security update all over again. What do you think?

 

[Xybertron]

That isn't from IIS Dan
Microsoft Exchange Support @ Microsoft