RE: serious network down...readme.eml??

[Clark, Steve]

Title: serious network down...readme.eml??

Got this from Peter Kruse who pointed me to http://www.norman.no/ - thanks!   The worm W32/Nimda.A@mm is spreading very fast. It may arrive as an email with the following charteristics: Subject: None Body: None Attachment name: README.EXE This worm may enter a computer in several ways - it will either be received as an email with an attachment, over open shared drives in networks, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), utilizing various security holes well known . All IIS web server admins are encouraged to patch up their web server to protect themselves. An accumulative patch for IIS servers is available from: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp When the infected file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup.   It may not remove everything – but it may stop it long enough to see what damage was done.   Steve Clark Clark Systems Support, LLC www.clarksupport.com     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 1:24 PM To: NT System Admin Issues Subject: RE: serious network down...readme.eml??   Stupid Ev Question #327: eml files can be executed?   Thanks,   Evan   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 1:05 PM To: NT System Admin Issues Subject: RE: serious network down...readme.eml??   1    Unplug servers form network. 2    use ERD to recover. 3    send users home. 4    clean clients. -----Original Message----- From: Terry Manolakos [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: serious network down...readme.eml?? My network is slammed with some uknown virus of some sort.....Both my NT 4.0 servers running MS-Exchange 6.5 have about 2300 alien files which were deleted....a "readme.eml" is being executed by all users somehow automtically and its infecting all my NT domain.   I can not Ctrl+Alt+Delete to log into any of the servers.....the display shows "initialization of the dynamic link library C:\WINNT\system32\USER32.dll failed. The process is terminating abnormally"  OKaying this results in no effects....all servers have this displayed onscreen.  For the ones that have admin already logged in, Services (control panel, settings) can not be accessed!  "access to the specified device, path, or file is denied"....it seems this virus has locked onto this element.  PDC is running Exchange (I know, never put'em together...but we're still cleaning up after previous SysAdmins here), and this has gone bezerk as well, with the same message onscreen.  Norton/Symantec doesn't recognize "readme.eml"....who out there can shine a flashlite in this dark mess?  thanks in advance. Terry  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm