I have many machines here that were swarmed w/ *.eml and *.nws files. About 25% of those had executables affected. This is a REALLY clever little b*st*rd, in that it infected executables /wo altering their dates/times. I rooted these out BEFORE Symantec created their defs by using windiff on a fresh install to find mismatched file sizes, then copied the good versions overtop the bad. The two workstations running IIS were badly messed up, most .asp were unrepairable, as were some .htm(l)'s. One had no tape bu, so we just whacked it, the other we rest'd from tape, and is *seems* ok. Re-scan today w/ NAV defs of the 24th revealed no probs. In fact, I would bet that some of the non-repairable files may now have been repairable, but I whacked 'em. The toughest nut to crack was an early rev W95 machine, which we need 'cuz it has a piece of specialty HW attached for which no one has written a later driver. Explorer itself was pooched, but luckily we could copy from a floppy. I guess you have to decide which is the less headache. If this machine is critical, you have a baseline backup somewhere, so install an NT stub, restore, and you're running again. If it isn't that critical, why not just run NAV till is runs clear, then look at the logs to see what you lost. crap, musta been in verbose mode, sorry... Bruce MacDonald Manager, Information Technology Pacific Newspaper Group (Kennedy Heights) (604) 605-7269 ph (604) 605-7239 fax [EMAIL PROTECTED] -----Original Message----- From: Howie Pince [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 13:32 To: NT System Admin Issues Subject: Do we NEED to reinstall after a "Nimda" infection like Symantec advises? Hey, Was victum of waiting on virus defs from Symantec and 3 servers got infected. They have been cleaned, and the whole network scanned, as well as having Symantec's Nimda removal tool <Should say PREMISSIONS REMOVAL TOOL IN 20pt RED FONT as it wipes out all your share permissions!!> ran on the systems. Everything seems fine? But they advise that the WHOLE OS be reloaded from scratch? <At the same time they list the damage as moderate, say what?> Man that is ALOT of work AND downtime? Is this a serious security risk even after the cleanup or? What are you guys doing, wiping out your system and reinstalling or "riding the wave?" Thanks in advance.... Howie Pince CIS Support Engineer HDRI A+, MCP2000+5<1 left!> Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mod e=0&lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
RE: Do we NEED to reinstall after a "Nimda" infection like Symant ec advises?
MacDonald, Bruce (VAN_Exchange) Tue, 25 Sep 2001 15:31:30 -0700
