I've also seen *.NWS files created by it also. Same size, in every
directory in the infected machines search path.
Symantec just released updated v-defs, BTW.
Steve
> -----Original Message-----
> From: Szlucha, Chris [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 5:46 PM
> To: NT 2000 Discussions
> Subject: RE: New Virus - NIMBA
>
>
> I believe, but I may be mistaken, that you need to delete all
> of the instances of the file in it's many iterations, the
> .EML files, the .EXE files that it created, the MMC.EXE that
> was modified, the .DLL file it modifies, and the .TMP.EXE
> files that it creates under your temp folder. And check your
> system.ini for the telltale modification it makes and delete
> that also.
>
> But I'm not a virus guy so I could be wrong. :)
>
>
> -----Original Message-----
> From: Jeffrey Witt [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 6:35 PM
> To: NT 2000 Discussions
> Subject: RE: New Virus - NIMBA
>
> Don't delete the .eml files! I did on one machine that I
> pulled from the network. They just showed up again with
> different names and the .eml extension. Right now they are
> sitting on the network volume as desktop.eml and lightning.eml
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Tuesday, September 18, 2001 5:15 PM
> To: NT 2000 Discussions
> Subject: RE: New Virus - NIMBA
>
>
>
> Some users access external mail servers such as private ISP's
> using other
> email clients. Our users are senior consultants, lawyers
> etc so it's hard
> to control them. We have the company email protected but
> they do things
> that we would prevent if we could. So far I've been seeing the
> readme.exe, desktop.exe, readme.eml, desktop.eml, and I have
> a ton of eml files on my servers that are either completely
> the virus or infected
> existing files - dont know yet. Might have to do a mass restore
> whenever we can protect against this.
>
>
>
> Wes Owen
> <[EMAIL PROTECTED]> To: "NT 2000
> Discussions"
> Sent by:
> <[EMAIL PROTECTED]>
> bounce-nt2000-135231@ls cc:
> .swynk.com Subject:
> RE: New
> Virus - NIMBA
>
>
> 09/18/2001 02:57 PM
> Please respond to "NT
> 2000 Discussions"
>
>
>
>
> So did you have some users actually got the readme.exe file?
> We have not seen a single one of these hit our scanners yet.
>
> BTW, we run Mailsweeper and even though we do not block all
> executables we were able to quickly block readme.exe. Even
> though Sophos had an update out about 10 minutes after we got
> that done.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 4:35 PM
> To: NT 2000 Discussions
> Subject: RE: New Virus - NIMBA
>
>
>
> I use Opera and this morning an infected web site offerred me
> a download. If I had accepted the download I would have been
> a casualty in this war. IE users can get infected
> automatically and because all of our workstations
> have it, we had some get infected before we could notify
> everyone. We
> think some users got infected from Outlook too.
>
>
>
>
> "Szlucha, Chris"
>
> <[EMAIL PROTECTED]> To: "NT 2000
> Discussions"
> Sent by:
> <[EMAIL PROTECTED]>
>
> bounce-nt2000-135231@ls cc:
>
> .swynk.com Subject:
> RE: New
> Virus - NIMBA
>
>
>
>
> 09/18/2001 02:18 PM
>
> Please respond to "NT
>
> 2000 Discussions"
>
>
>
>
>
>
>
> Incorrect! If your users visit an infected website, they can
> get it directly because it's embedded in the HTML. They can
> also get it through Hotmail and any other web-based email system.
>
>
>
> -----Original Message-----
> From: Ryan Malayter [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 5:11 PM
> To: NT 2000 Discussions
> Subject: RE: New Virus - NIMBA
>
> If you were blocking all executable attachments, you wouldn't
> have to wait for your antivirus vendor...
>
> -----Original Message-----
> From: Anthony L. Sollars [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 4:09 PM
> To: NT 2000 Discussions
> Subject: RE: New Virus - NIMBA
>
>
> SYMANTEC...MOVE IT MOVE IT
>
> -----Original Message-----
> From: Marc Callahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 2:04 PM
> To: NT 2000 Discussions
> Subject: Re: New Virus - NIMBA
>
>
> c'mon Symantec!
>
> ----- Original Message -----
> From: "Chinnery Paul" <[EMAIL PROTECTED]>
> To: "NT 2000 Discussions" <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 4:03 PM
> Subject: RE: New Virus - NIMBA
>
>
> > Trend has just within the last few minutes released it's update. I
> > can't get it yet, though, probably because of site traffic.
> >
> > -----Original Message-----
> > From: Jeffrey Witt [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 5:05 PM
> > To: NT 2000 Discussions
> > Subject: RE: New Virus - NIMBA
> >
> >
> > It already hit us trying to download the detection and fix file now
> > from McAfee its going real slow. Think they are busy?
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Szlucha, Chris
> > Sent: Tuesday, September 18, 2001 3:56 PM
> > To: NT 2000 Discussions
> > Subject: New Virus - NIMBA
> >
> >
> > Just an FYI, folks. There is a new virus spreading
> rapidly!!! SARC
> > and others are still researching it, but McAfee seems to have a DAT
> > file that will at least recognize it.
> >
> > Seems to be a bit nasty in it's propagation. Check out the
> web site
> > for more details.
> >
> > http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
> > <http://vil.nai.com/vil/virusSummary.asp?virus_k=99209>
> > http:[EMAIL PROTECTED]
> > <http:[EMAIL PROTECTED]>
> >
> > -Chris Sz
> >
> > ------
> > You are subscribed as [EMAIL PROTECTED]
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe send a blank email to
> [EMAIL PROTECTED]
> >
> >
> > ------
> > You are subscribed as [EMAIL PROTECTED]
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe send a blank email to
> [EMAIL PROTECTED]
> >
> > ------
> > You are subscribed as [EMAIL PROTECTED]
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe send a blank email to
> [EMAIL PROTECTED]
>
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
>
>
>
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
>
> This e-mail and any files transmitted with it are
> confidential and are intended solely for the use of the
> individual or entity to whom they are addressed. If you are
> NOT the intended recipient or the person responsible for
> delivering the e-mail to the intended recipient, be advised
> that you have received this e-mail in error and that any use,
> dissemination, forwarding, printing, or copying of this
> e-mail is strictly prohibited.
>
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
>
>
>
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
