Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W32.Nimda.A@mm

Status
Not open for further replies.
mike722

mike722

MIS
Sep 8, 2001
65
BR
Got hit with this virus on our network this morning.. Anyone got any experience of ridding this from network. Nortons doesn't seem to do everything neccessary to clean it.. So far my understanding is that it creates loads of eml files on network shares, and creates and replces Riched20.dll. I can't figutre out the procesess it takes and how to clean it totally.

MD
 
Sort by date Sort by votes
When I hit the "Site Policies" link a few minutes ago, I got this virus: W32.Nimda.A@mm(html). Since I have an updated Norton AV, I am clean. I sent a message to the "feedback" area, but I thought I would post this here, too, just in case the "feedback" e-mail is only read once per day.
 
Upvote 0 Downvote
I have notified the Techumseh group of this problem.
 
Upvote 0 Downvote
This one is nasty to the core. It can be spread by simply opening the e-mail and not even running the attached thingy.

When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file.This virus w32.nimda.a@mm

The virus attacks IIS 4 and IIS 5 (Internet Information Server version 4 and 5)

Here is a link on Symantec that explains it well


DougP, MCP

Visit my WEB site to see how Bar-codes can help you be more productive
 
Upvote 0 Downvote
We seemed to get it under control in the end. It seems as though Nortons anti virus doesn't do a good job of cleaning this virus. but it can detect it and quartine only parts of it.. When the virus creates loads of eml files all over the network, nortons is happy to let it do that (yes, we have the latest definition). We found that Mcafees did a great job of tracking down the virus and ridding it from the network.. It doesjn't even allow the virus to make new eml files.

If you have a client with this virus (and don't have mcafees , go into the system.ini (on win98) and you will find that the pc has an extra line in the "shell= explorer.exe" line.. I can't remember what it adds, but just delete the extra bits. then you need to check the riched20.dll file on the maching and make sure that it is the original (look at modified date). If it has been modified by the virus, then you should copy an original of it on to the PC (in windows\system folder).. Delete all *.eml files that the virus has created on the network (look at the date, and also the size will be the same for all infected files.. After that I set up 1 share on a server and enabled file creation auditiing on it, that way, we could see which users were writing the files (ie, who had the virus still) and then go to their pc's and clean them.. Hope this helps anyone who is struggling with this virus.

I think the reason we got hit quite badly with this is because the virus got to our network before the latest definition was applied to the network

MD
 
Upvote 0 Downvote
pirogue,

Thank you for letting us know so promptly that our site was having a problem. The problem has been fixed.

Our Technical Director Doug Trocino and I are just perplexed what motivates some to be so destructive. It doesn't make any sense.

Thanks again. It's having nice members like you and others who watch out for us that keep this site up and growing. :)

Dave Murphy, CEO
Tek-Tips Forums
 
Upvote 0 Downvote
After reading through many descriptions of this virus, I am confused on a few points that maybe someone can clear up.

First, people can get the virus by just browsing to an infected web page using IE 5 or 5.5, correct? What about IE 6 or IE 4?? Also, microsoft's site says that ie 5.01 sp1 and ie 5.5 sp1 are vulnerable, but what if the service pack is not installed? We have a network where a wide variety of ie versions are used, so basically I'm trying to figure out which machines need my attention right away.

Also, as I understand it, if you have the preview pane turned on in outlook 2000, it can automatically download the virus. Outlook 97 doesn't have a 'preview pane', but it does have an 'auto preview' that displays the first few lines of the message. Does having this on make you vulnerable?

Thanks for the help Mike Rohde
"I don't have a god complex, god has a me complex!"
 
Upvote 0 Downvote
Also, I assume Outlook express 5 is affected by this. What about 6? Mike Rohde
"I don't have a god complex, god has a me complex!"
 
Upvote 0 Downvote
Has anyone else have the virus within their networks? This think is causing havok on ours. Good thing I don't need an NT server to do my job. AS400s are immune to this wave. Mike Wills
RPG Programmer (but learning Java)

"I am bad at math because God forgot to include math.h into my program!"
 
Upvote 0 Downvote
If I read bulletin MS01-027 correctly, only IE 5.01 and 5.5 (pre SP2) are vulneriable. IE 5.5 SP2 and IE6 are supposed to be fixed. See:


Also Security Focus has issued more information in a PDF.

I also notice that Sophos, Trend Micro, and Symantec have issued clean-up programs. See their sites form more info. James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.
 
Upvote 0 Downvote
We got hit with W32/NIMDA@MM on an NT & Oracle 7.3.4 server yesterday. I notified the admin there and he said he would look into it. He found something that Oracle 7.3.4 had a problem with NT service pack 6 and is requesting more info. I am currently in the process of cleaning this machine. Any other Oracle servers that have been hit and problems you discovered? Terry M. Hoey
 
Upvote 0 Downvote
I have installed IE 5.0 SP2 on all PCs here.

Does this mean that it is OK [in Outlook 2000] to have the preview pane on? Or should I be telling users to diasble this function?

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

forumit
  • Locked
  • Question
W32.Sality.AE virus
Replies
11
Views
174
forumit
forumit
MakeItSo
  • Locked
  • Question
Biiiig problem: new W32/Blaster? Same symptoms 2
Replies
4
Views
83
MakeItSo
MakeItSo
maya14
  • Locked
  • Question
W32.Downadup ---- HELP
Replies
1
Views
48
BadBigBen
BadBigBen
MarcLodge
  • Locked
  • Question
W32.Scrimge.A????
Replies
2
Views
42
MarcLodge
MarcLodge
MarcLodge
  • Locked
  • Question
w32 Tiny abk
Replies
1
Views
49
pechenegs
pechenegs

Part and Inventory Search

Sponsor

Back
Top