RE: serious network down...readme.eml??

[Clark, Steve]

Title: Message

Got this from Peter Kruse who pointed me to http://www.norman.no/ - thanks!   The worm W32/Nimda.A@mm is spreading very fast. It may arrive as an email with the following charteristics: Subject: None Body: None Attachment name: README.EXE This worm may enter a computer in several ways - it will either be received as an email with an attachment, over open shared drives in networks, and it seems that it will also attempt to break into machines running the web server software IIS (Internet Information Server), utilizing various security holes well known . All IIS web server admins are encouraged to patch up their web server to protect themselves. An accumulative patch for IIS servers is available from: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp When the infected file is run, it will copy itself to the system directory as a hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so that it is run from startup.   It may not remove everything – but it may stop it long enough to see what damage was done.   Steve Clark Clark Systems Support, LLC www.clarksupport.com   -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:53 PM To: NT System Admin Issues Subject: RE: serious network down...readme.eml??   we are getting it as well.  we already blocked the readme.exe that comes with it - in our cases it is trying to launch a windows media player.  update your file filter to block *.eml and *.nws per antigen.  They re working on a more comprehensive fix.   Have not seen the problems you reported with it though - it only appears to launch the media player - share your c drive and propagate here.     Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED]   Even the boldest zebra fears the hungry lion. -----Original Message----- From: Terry Manolakos [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:21 AM To: NT System Admin Issues Subject: serious network down...readme.eml?? My network is slammed with some uknown virus of some sort.....Both my NT 4.0 servers running MS-Exchange 6.5 have about 2300 alien files which were deleted....a "readme.eml" is being executed by all users somehow automtically and its infecting all my NT domain.   I can not Ctrl+Alt+Delete to log into any of the servers.....the display shows "initialization of the dynamic link library C:\WINNT\system32\USER32.dll failed. The process is terminating abnormally"  OKaying this results in no effects....all servers have this displayed onscreen.  For the ones that have admin already logged in, Services (control panel, settings) can not be accessed!  "access to the specified device, path, or file is denied"....it seems this virus has locked onto this element.  PDC is running Exchange (I know, never put'em together...but we're still cleaning up after previous SysAdmins here), and this has gone bezerk as well, with the same message onscreen.  Norton/Symantec doesn't recognize "readme.eml"....who out there can shine a flashlite in this dark mess?  thanks in advance. Terry  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm