RE: How to remove Nimda from NT Server without a reload

Thu, 20 Sep 2001 06:33:16 -0700 

remember guest is admin on infected machines.  anyone can upload tools and
remote control apps to your machine, while guest is active.

Dan

-----Original Message-----
From: Sren Albeck [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 7:34 AM
To: NT System Admin Issues
Subject: RE: How to remove Nimda from NT Server without a reload


I've had one server infected. Other than the description below, I used
NAI's removal-tool with no problems. It can be found at
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 (may be wrapped)
under the heading "Stand-alone removal tool".
The server was booted in between each step, the whole operation took a
little over 1 hour and it is so far behaving nicely.

Søren A

> I'm in the middle of an all-nighter killing this thing, I'll tell you
> what is working for me (you need to be at the console):
> Delete Admin.dll and all TFTP* files from %driveletter%\Inetpub\scripts
> Stop and disable the server service
> Reboot
> Apply IIS cumulative patch
> Reboot
> Apply hotfixes for either IE 5.01 SP1 or IE5.5 SP1 (mime header vulns)
> Reboot
> I am running NetShield, so I apply DAT 4161 and then scan and clean.
> 
> Kludgy, I know, we are working on scripting this.  That is what we have
> so far.  I'll update unless someone else does before then.  Back to
> work....
> 
> -----Original Message-----
> From: Matthew Western [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 19, 2001 8:59 PM
> To: NT System Admin Issues
> Subject: How to remove Nimda from NT Server without a reload
> 
> 
> Any links on how to remove Nimda from NT without a reload?  when i run
> the
> removal tool from this list it crashes...  any idea what services it
> overwrites and runs as?  i've heard cmd.exe and mmc.exe.  we've got
> mmc.exe
> running but when i try to kill it with task manager it says access
> denied...
> ideas?
> Matthew
> 
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. If you received this e-mail in error, please
advise me (by return e-mail or otherwise) immediately. 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to