For what it's worth, at this late point.
It appears that Zone Alarm is successfully blocking the worm from spreading
on networked computers.
Our campus had two servers infected, and every few minutes, Zone Alarm
would pop up and say it had deflected an access attempt from these
machines. It's unclear that the hits were really the worm, but the level
of activity and our IT department think it points in that direction.
Paul Patrick [EMAIL PROTECTED]
University of Central Oklahoma
Edmond, OK 73034
(405) 974-2336 fax (405) 341-4964
"Dan Goldberg"
<dang@lancecamper To: <[EMAIL PROTECTED]>
.com> cc:
Sent by: Subject: RE: Nimda virus: clean-up
warning and
owner-rbase-l@son instructions <fwd>
etmail.com
09/20/2001 10:02
AM
Please respond to
rbase-l
I found a free cleaner on www.antivirusexpert.com
It worked good on a couple of machines that were infected here.
Dan
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Ian Chivers
Sent: Thursday, September 20, 2001 1:25 PM
To: [EMAIL PROTECTED]
Subject: Nimda virus: clean-up warning and instructions <fwd>
I'm on a uk academic networking mailing list. this
is the message from the technical people who manage
this network.
i've seen it wipe out two servers, leaving them
unusable. you can't run .exe files for example.
The virus infects systems running Microsoft Windows 95, 98, ME, NT, and
2000. This new worm appears to spread by multiple mechanisms:
* from client to client via email
* from client to client via open network shares
* from web server to client via browsing of compromised web sites
* from client to web server via active scanning for and exploitation of
the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
* from client to web server via scanning for the back doors left behind
by the "Code Red II", and "sadmind/IIS" worms
The virus can spread via email therefore if you receive an email with
an attachment called README.EXE do not open the attachment.
hope this helps.
--- Begin Forwarded Message ---
Date: Thu, 20 Sep 2001 10:29:48 +0100
From: Andrew Cormack <[EMAIL PROTECTED]>
Subject: Nimda virus: clean-up warning and instructions
Sender: [EMAIL PROTECTED]
To: Receivers of CERT messages <[EMAIL PROTECTED]>
Reply-To: Andrew Cormack <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
-----BEGIN PGP SIGNED MESSAGE-----
We are still dealing with over a hundred sites suffering from infection
by the Nimda worm. Please bear with us if our response is a little
slower than usual.
Several people have asked if there is a way to remove this worm from an
infected system other than doing a complete re-install. A number of web
sites are now offering instructions however due to the very large number
of changes made by the worm to an infected system these are often
complex and may not work in all circumstances. We have also had reports
from sites who have attempted to clean systems by running virus
checkers: they have found that in some cases the checker may remove an
infected but vital part of the operating system, resulting in a system
that had to be reinstalled from scratch anyway.
If sites attempt to clean machines, rather than re-installing them, they
should be sure to check for themselves that nothing has been overlooked
in the instructions or by anti-virus software. If any doubt exists, or
system administrators do not feel confident doing this, the machine
should be reinstalled. The number of different system configurations,
and the variety of virus infections, means that even instructions that
work perfectly in one location will fail in another.
The recommendation from JANET-CERT and most other security teams is that
infected machines should be disconnected from the network, re-installed
from scratch and patched before reconnecting. The Microsoft hotfix
checking tool hfnetchk
(http://www.microsoft.com/technet/security/tools/hfnetchk.asp) should be
used to ensure that all patches are installed on machines before they
are reconnected, including desktop machines. IIS servers should have the
Code Red II checker/cleaner run on them also
before they are patched to remove the backdoors that may have allowed
the
infection to take place.
http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp
====
Network Associates have just released a virus removal tool, which can be
downloaded from http://vil.nai.com/vil/virusSummary.asp?virus_k=99209.
This removes infected files, so may well damage the system as it cleans
it.
There are preliminary instructions for removing the Nimda worm from
affected systems available at http://www.f-secure.com/nimda/ from
F-Secure (makers of F-Prot). Again, these may cause damage to the system
during the process of disinfection.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQEVAwUBO6m3BXnoxmgUypZhAQGN1Qf9EJdza99VxsB4q5Sv818Tm8ZSC1ZjMOej
6+7Vd73/va7KfpEg9vonFun5XvQ9688OIWvzZxPykxQJmTf0Bk8dyBZaEqJaTBKB
CSk50ysOMtRZyJLyFcXxoG2fjNLt+D+00mOL3td3BV16N21eCitPnG97trNynxWS
4r/VNdbyIq4TF5EYvcFtlrm1TnlxGykoEQ7mB0Ntj6aqgIUpEIELYbEwgf6j95UD
l3slpaqpZftMkgOJaqevIesus6fIWr5Nxkd18a++Ky7Kva4ZmeCeW9r/vMsstcRX
5EOjzvRDjnx7MYh/3Jf3Y7nZki4VnDpKbC+2gcUOzDDnd83fiefjEg==
=QGNi
-----END PGP SIGNATURE-----
--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
Phone: 01235 822 302 E-mail: [EMAIL PROTECTED]
Fax: 01235 822 398
--- End Forwarded Message ---
--
Ian
[EMAIL PROTECTED]
Home page
http://www.kcl.ac.uk/kis/support/cit//fortran/
comp-fortran-90 home page
http://www.jiscmail.ac.uk/lists/comp-fortran-90.html
