Status as of 16:00 EDT, FWIW:
OK. I have isolated the machines, run McAfee and Norton cleaner, deleted all *.eml
files (seemed to be added to EVERY directory) and done all the recommended file
replacements.
About every fifteen minutes or so, the .EML files are all back again.
We seem to have TWO problems. Some machines are runable with Nimda signatures found,
Others have Nimda signatures and cannot be booted to anything other than a clean blue
scree (Not the BSOD), but we can see them with NTFSPRO.
Still working on these to save vital files, but we found 1388 files infected, of all
kinds and type. Many executables, such as GroupWise, were renamed *.RB0, *.Rb1, *.RB2
etc.
Steve Kelsay
Network Administration Group
South Carolina Department of Revenue
301 Gervais Street
Columbia, SC 29201
(803) 898-5522
>>> [EMAIL PROTECTED] 09/24/01 12:40PM >>>
Guys, please check ALL FILES to scan your drives , because also
ASP,JS,HTM,HTML,SHTML,SHTM are ALL infected on not listed if you select
to scan program files only!!
also replace riched20.dll and mcc.exe (if you are infected) or everything starts again.
A virusscanner will NOT clean it totally!
Kind regards,
Pim Vessies
CS&O Backoffice
Philips Medical Systems
IM/CS&O/BO Building QAII-441
Veenpluis 4 - 6, 5684 PC Best
The Netherlands
"Denoy, David" <[EMAIL PROTECTED]> on 09/24/2001 05:42:35 PM
Please respond to "NT System Admin Issues" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
cc: (bcc: Pim Vessies/BST/MS/PHILIPS)
Subject: RE: Nimda - Thought we were protected
Classification:
I've seen this same NIMDA-infected executable on a Windows 2000 Professional
machine after being protected with the latest updates. We haven't seen any
effects of the infection yet or further spread.
-----Original Message-----
From: Steve Kelsay [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 8:13 AM
To: NT System Admin Issues
Subject: RE: Nimda - Thought we were protected
The virus checker we ran on the readme.exe file called it Nimda.
Unless we got hit with multiple virii at the same time. That is why I
thought it might be a new strain. I sent the files to McAfee for analysis
already.
Steve Kelsay
Network Administration Group
South Carolina Department of Revenue
301 Gervais Street
Columbia, SC 29201
(803) 898-5522
>>> [EMAIL PROTECTED] 09/24/01 10:54AM >>>
What makes you think it is Nimda in the first place?
Your symptoms sound nothing like it at all.
-----Original Message-----
From: Steve Kelsay [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 7:35 AM
To: NT System Admin Issues
Subject: Nimda - Thought we were protected
First alert, Maybe nothing.
We just had our developer machines, running NT2000 Server hit with
Nimda.
The strange thing is, we have Nimda protection in our email scanner, and
all the security fixes MS said should be applied. SP2 is installed.
The machines boot up, a log in screen displays, and they login. The
Novell login script begins to run as normal ( we run mixed network, NT
and Novell), then the login script box clears as normal, a blue screen
appears as normal, and nothing further happens.
Could this be a new strain?
Steve Kelsay
Network Administration Group
South Carolina Department of Revenue
301 Gervais Street
Columbia, SC 29201
(803) 898-5522
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
