Hello Symantec says: --------------------- System Modifications When executed the worm determines from where it is being executed. The worm then overwrites MMC.EXE in the Windows Directory or creates a copy of itself in the Windows Temporary Directory. The worm then infects commonly used executables listed in the registry keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders The worm hooks the system by modifying the system.ini file as follows: Shell = explorer.exe load.exe -dontrunold It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows .DLL used by applications such as Microsoft Word. By replacing this DLL, the worm is executed each time applications such as Microsoft Word are executed. The worm copies itself as the file: %Windows\System%\load.exe NOTE: %Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location The worm then attempts to modify files with the extension .htm, .html., and .asp or filenames matching default, index, main and readme on the local system that are shared with other network computers. .EXE files are infected and .EML and .NWS files are replaced by the virus. Next, the worm creates open network shares for all drives on the computer by modifying the registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$ -> Z$] A reboot of the computer is required for these settings to take effect. The worm searches for all open shares on the network by iterating through the Network Neighborhood. All files on any open network shares are examined for possible infection. .EXE files are infected by the worm except WINZIP32.EXE. .EML and .NWS files are copied to the open network shares and the worm copies itself over as riched20.dll to any directory with .DOC files. During execution, the worm may attempt to delete copies of itself. If the file is in use or locked, the worm will create WININIT.INI with an entry to delete itself upon reboot. The worm contains bugs and can be resource intensive. Thus, not all actions may occur and system instability may be noticable. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<Schnipp>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I did not find the Open Shared unter NT, and I did not find the System.ini/wininit.ini changes. Alex > -----Original Message----- > From: R. Scott Perry [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 19, 2001 5:33 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Compromised IIS Server ... > > > > >Has anyone been successful in removing > >W32/Nimda@MM from their IIS 4.0 servers? > > Microsoft recommends a rebuild. But, this post was seen > recently, and > might be worth a try (but remember that not rebuilding might not fix > everything...): > -Scott > > --- > > I have cleaned (I think) one Win2k server. Here are the steps > I followed: > Here's some suggestions that I've used successfully (so far at least). > YMMV. > Be sure and check your "Guest" user account. The worm will > enable it and > also put it in the local administrators group. > To fix the web pages: > Open one of them in notepad or something and look at the last > line of the > file. You should see: > I used Search & Replace from www.funduc.com to search for > this string in all > *.htm, *.html, and *.asp files and remove it. > Search for readme.eml, .eml, .nws, admin.dll, readme.exe, > riched20.dll. > Delete them if the modified date on them is today. Also, > mmc.exe. The good > one should be in \winnt\system32 and will be a larger file size. Note > admin.dll is a valid file for Front Page and will have a > smaller file size > and different date. > Search for MEP*.TMP.EXE in the \temp directory and delete them. > Look for root.exe in your web directories and remove it. > Remove the drive shares on the root of your drives. > Other files to look for are load.exe and a modified > system.ini. I did not > see these on NT. > I also re-applied SP2 and rebooted. > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
