I can share our experience with Nimda cleaning without shutting down the
server,
BUT SHUTTING DOWN ALL THE workstations.
1. Disconnect WS from the network.
2.Run fixnimd.com - from:
http:[EMAIL PROTECTED]
al.tool.html
3.Check the SYSTEM.INI file for the presence of the following string:
Shell=explorer.exe load.exe -dontrunold
and change it to:
Shell=explorer.exe
3.Seek for and delete ALL files ( on all disks ) with extension .eml and
.nws - on all WS and the server as well.
4.Seek for and delete ALL RICHED20.DLL files, normally hidden and system,
( on all disks ) with filesize
approx. 78 kB and actual date.
5.Seek for and delete ALL occurrences of load.exe, normally hidden and
system file, anywhere in the WS disks.
6.Disable temporary ANY sharing from the WS.
7.Shutdown WS and proceed to next one untill the end.
8.Boot one WS and ENABLE DISK SHARING - FULL ACCESS to a disk ( preferable
not system one). Use Net Watcher ( or similar program) to monitor this WS
for externall attaks from the network - if any.
rem.: P. 4. and 5. should be omitted when using fixnimd.com from Symantec.
more info:
www.mcafee.com/anti-virus/viruses/nimda
www.f-secure.com/v-descs/nimda.shtml
www.microsoft.com/technet/security/bulletin/MS01-044.asp
http:[EMAIL PROTECTED]
Regards
----- Original Message -----
From: "Roger Ali" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Monday, September 24, 2001 3:16 PM
Subject: RE: Nimda Breakout Help!
> That's the problem, the machine that is infected is our file server, web
> outlook server, and our email server. I can't shut these things down as
> they are core to the business. The virus came through email to internal
> users, not through IIS. We've patched up IIS regardless and I've blocked
> all attachments, I dunno how long it will last with our business. But
we'll
> see. Any other ideas?
>
> Thanks
> Roger Ali
>
>
> -----Original Message-----
> From: Kelly Borndale [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, September 22, 2001 7:57 PM
> To: NT System Admin Issues
> Subject: RE: Nimda Breakout Help!
>
> Unplug the infected machine from the network.
>
> -K
>
> > -----Original Message-----
> > From: Roger Ali [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, September 22, 2001 2:06 PM
> > To: NT System Admin Issues
> > Subject: Nimda Breakout Help!
> >
> >
> > Guys,
> > Does anyone know a way to prevent the PE_Nimda and all other
> > variations from infecting servers. I've got a mixed network 2K and NT
and
> > all my servers were hit, I have trend office scan and trend server
protect
> > and all it does is notifies me about the virus and that it
> > couldn't clean or
> > move the files. I've gotten the cumulative patch from trend's site and
> > applied it to all my servers but they keep getting infected. Is
> > there a way
> > to stop this at all?? Please help.
> >
> > Thanks
> > Roger Ali
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> >
> >
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
