How are YOU fighting nimda worm?

[spidey07]

This is driving me nuts!

what are you guys doing to combat the spread and further infection of the WORM. we've had both T3s shut down since 6:00 am.

 

[Mucman]

You saw how we are fighting it it kicked our ass, so it wasn't much of a fight.

 

[spidey07]

well how can I confidently open internet access? if joe user can get infected by simply visiting a web page???

 

[RedFoxDye]

Hello All.
This thing seems to target systems previously infected with code red. So you might want to check to make sure that one is gone.

1) do not open any mail named readme. Search for and delete Readme.eml
2) take your server off line or net pause server from command line.
3) install all the updates for your system. OS, IIS, Outlook.

4) search your root folder ( c:\ ) for a file called admin.dll that has a ?modified date? after 9/17/01.
you will see files with the same name in other directories, but only the infected file will appear in your c:\ directory ? and has a recent modified date.
Delete this file. shift+Del

5) disable IIS if you are not using it.

6) check all your website pages for this code "<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html>" and remove if it's there.

7) check your inetpub\scripts folder and remove tftp files.

Thats all I have for now.

 

[Nightfall]

Our company has Symantec Corporte Virus Scaning package and that works well. You install it on one server, and then dump it to the workstations through the login scripts. The package then retrieves the updates and dumps the updates to all the clients without me having to do a thing.

Having current virus scanning is a key to the problem. Keeping your software updated and patched along with keeping your server updated and patched is another one.

 

[spidey07]

I haven't had any servers get infected those have been patched for quite some time.

it is the damned PCs. we don't use exchange so e-mail propogation is nil.

the main propogation we're worried about is getting it from an internet web page, and peer infection via network neighborhood and shares.

 

[Nightfall]

Well, it was something I would normally be worried about, but with virus scanning software, I am not worried.

 

[IJump]

I have one server out of 10 NT servers that are infected. We have another site that we were working on the server, after disconnecting it from the network, and the virus kept recreating itself somehow. Even after running the cleaning utilities (Forgive me for not know which ones we ran, I beleive it was from McAfee), the thing was still there.

It said it deleted the eml files, admin.dll, and cleaned iexplore and wordpad.exe, but the files came back. Any one know if there is another file lurking somewhere?

 

[spidey07]

probably not another file. probably PCs on your net keep reinfecting the server throught shares.

 

[Nothinman]

I personally don't run IIS at home, Apache all the way.

At work we don't use IIS on Internet accessible servers and on the mail server we've temporarily filtered all executable attachments. We've had 1 person get it from a web page, but it didn't make it anywhere on our network.

 

[IJump]

That's what we thought, spidey, but we uplugged it from the network and the reinfection still happened.

Unless this is an airborne virus ( ), it was something left on the server after we ran the utility.

 

[Tallgeese]

Alcohol...
lots and lots of alcohol.

 

[Agamar]

I had one NT server out of 8 get infected. I had patched all the NT servers for the Code Red Worm, and hadn't found any evidence of a backdoor.. I think one of our faculty uploaded an infected page, which eventually got open from the server. 3500+ files infected. I had to rebuild the server from the ground up, and this time I installed NAI's Netshield. Anything getting uploaded or downloaded is first checked for viruses. Including Nimbda...I am sick of patching

 

[Nightfall]

Info on the Nimda Worm and how to clean it

 

[spidey07]

thanks for the help guys.

really only a few machines were infected - probably from web servers because our E-mail is rock solid and triple protected. There is basically no way to prevent a client PC from becoming infected from a web page unless you turn off java or have fixed versions of IE.

wound up slapping a content server in and integrated it with all firewalls. nasty little ah heck this one.

 

[Wik]

OMG, I just got my apache server back online (hardware change) and as of last night I had over 1024 logs of the Nimda worm. This is compared to 45 code red logs. This is not good.

 

[blstriker]

1. keep your server patched
2. run antivirus software

My log files have swollen in size since this worm came around. I don't think the activity level will drop down anytime soon. Once it's out there, there are enough people out there to keep this worm going around practically forever.

 

[spidey07]

here's the big problem...

the new virus engine bluescreens our PCs. arghhhhh.

 

[jleon]

We had to stop our web proxy so that nobody could go out into the internet and get infected until we rooted out the ah heck in our environment. It did take a very long time to update and push out the new anti-virus software to our servers and pc's. This ah heck was a major one because it was able to come thru us in a very unique way- thru a market data connection.

 

[n0cmonkey]

Fight it by re-rooting boxes...

EDIT: left out "format c:\"

Be an idiot when you dont have a box to be one with.