This was probably a really stupid thing that I did. I
am new to all of this stuff, but I try to be very
cautious.
The site that had been infected had been posted for
several hours yesterday and no one had commented on
it. I went to the site to see what a hacked page
looked like (thinking it was along the lines of a
defaced webpage like the "Hacked by Chinese pages." I
was never prompted to download a file, and I have the
highest security for internet options (everything is
disabled or prompt). I have Internet Explorer 5.01
SP2, which is not effected by the MIME exploit, W2K
SP2 patched as much as possible. According to NAV,
you have to be vulnerable to the MIME exploit when
visiting the infected site to have the .eml file run.
I downloaded the new virus definitions this morning
that were not available last yesterday and scanned the
computer. In the Temporary Internet Folders\Content
IE5\64DIY8YA\ folder there is a file called
216.39.175[1].htm that was detected by NAV as infected
with Nimra. I know this is really ignorant question,
but does that mean I am infected by Nimra and that I
am vulnerable to the stuff it can do? It was the only
file detected as infected and NAV cleaned it. Again,
I am new to this stuff and have never had to deal with
having an infected file on my computers before, so I
do not know if I am safe.
I checked my guest account, and it is still disabled
and has only guest properties. My system.ini file has
not been modified recently, neither has riched20.dll
files. I cannot find a load.exe.
Norton says to repair html files, then reboot, and
then do another scan until no files are found and to
delete the text added to system.ini. In this
situation, where I have an htm file in the temporary
internet folder, does this stuff apply? Why is the
file in the temporary internet folder marked detected
as infected anyway?
TIA,
Higgins
>-----Original Message-----
>From: David B. Lunn [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 1:34 AM
>To: NT System Admin Issues
>Subject: RE: WARNING: Hacker Alert
>
>
>Why would you put a link to an infected site? If
someone does not have
>sept 18th patterns???? They will immediately be
infected???
>
>-----Original Message-----
>From: Martin Blackstone
[mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, September 18, 2001 8:19 AM
>To: NT System Admin Issues
>Subject: RE: WARNING: Hacker Alert
>
>
>Here is a site that has been hit
>http://216.39.178.32
>
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
