I suspect the same thing. I have never, until Tuesday, received a ZoneAlarm warning at work, but Tuesday I got 25 from internal servers trying to access port 80. My computer is clean, clean, clean. [EMAIL PROTECTED] wrote: > >For what it's worth, at this late point. > >It appears that Zone Alarm is successfully blocking the worm from spreading >on networked computers. > >Our campus had two servers infected, and every few minutes, Zone Alarm >would pop up and say it had deflected an access attempt from these >machines. It's unclear that the hits were really the worm, but the level >of activity and our IT department think it points in that direction. > >Paul Patrick [EMAIL PROTECTED] >University of Central Oklahoma >Edmond, OK 73034 >(405) 974-2336 fax (405) 341-4964 > > > > > "Dan Goldberg" > > <dang@lancecamper To: <[EMAIL PROTECTED]> > > .com> cc: > > Sent by: Subject: RE: Nimda virus: clean-up >warning and > owner-rbase-l@son instructions <fwd> > > etmail.com > > > > > > 09/20/2001 10:02 > > AM > > Please respond to > > rbase-l > > > > > > > > > >I found a free cleaner on www.antivirusexpert.com > >It worked good on a couple of machines that were infected here. > >Dan > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On >Behalf Of Ian Chivers >Sent: Thursday, September 20, 2001 1:25 PM >To: [EMAIL PROTECTED] >Subject: Nimda virus: clean-up warning and instructions <fwd> > > >I'm on a uk academic networking mailing list. this >is the message from the technical people who manage >this network. > >i've seen it wipe out two servers, leaving them >unusable. you can't run .exe files for example. > > >The virus infects systems running Microsoft Windows 95, 98, ME, NT, and >2000. This new worm appears to spread by multiple mechanisms: >* from client to client via email >* from client to client via open network shares >* from web server to client via browsing of compromised web sites >* from client to web server via active scanning for and exploitation of >the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability >* from client to web server via scanning for the back doors left behind >by the "Code Red II", and "sadmind/IIS" worms > >The virus can spread via email therefore if you receive an email with >an attachment called README.EXE do not open the attachment. > >hope this helps. > >--- Begin Forwarded Message --- > >Date: Thu, 20 Sep 2001 10:29:48 +0100 >From: Andrew Cormack <[EMAIL PROTECTED]> >Subject: Nimda virus: clean-up warning and instructions >Sender: [EMAIL PROTECTED] >To: Receivers of CERT messages <[EMAIL PROTECTED]> >Reply-To: Andrew Cormack <[EMAIL PROTECTED]> >Message-ID: <[EMAIL PROTECTED]> > > >-----BEGIN PGP SIGNED MESSAGE----- > >We are still dealing with over a hundred sites suffering from infection >by the Nimda worm. Please bear with us if our response is a little >slower than usual. > >Several people have asked if there is a way to remove this worm from an >infected system other than doing a complete re-install. A number of web >sites are now offering instructions however due to the very large number >of changes made by the worm to an infected system these are often >complex and may not work in all circumstances. We have also had reports >from sites who have attempted to clean systems by running virus >checkers: they have found that in some cases the checker may remove an >infected but vital part of the operating system, resulting in a system >that had to be reinstalled from scratch anyway. > >If sites attempt to clean machines, rather than re-installing them, they >should be sure to check for themselves that nothing has been overlooked >in the instructions or by anti-virus software. If any doubt exists, or >system administrators do not feel confident doing this, the machine >should be reinstalled. The number of different system configurations, >and the variety of virus infections, means that even instructions that >work perfectly in one location will fail in another. > >The recommendation from JANET-CERT and most other security teams is that >infected machines should be disconnected from the network, re-installed >from scratch and patched before reconnecting. The Microsoft hotfix >checking tool hfnetchk >(http://www.microsoft.com/technet/security/tools/hfnetchk.asp) should be >used to ensure that all patches are installed on machines before they >are reconnected, including desktop machines. IIS servers should have the >Code Red II checker/cleaner run on them also >before they are patched to remove the backdoors that may have allowed >the >infection to take place. >http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp > >==== >Network Associates have just released a virus removal tool, which can be >downloaded from http://vil.nai.com/vil/virusSummary.asp?virus_k=99209. >This removes infected files, so may well damage the system as it cleans >it. > >There are preliminary instructions for removing the Nimda worm from >affected systems available at http://www.f-secure.com/nimda/ from >F-Secure (makers of F-Prot). Again, these may cause damage to the system >during the process of disinfection. > > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> > >iQEVAwUBO6m3BXnoxmgUypZhAQGN1Qf9EJdza99VxsB4q5Sv818Tm8ZSC1ZjMOej >6+7Vd73/va7KfpEg9vonFun5XvQ9688OIWvzZxPykxQJmTf0Bk8dyBZaEqJaTBKB >CSk50ysOMtRZyJLyFcXxoG2fjNLt+D+00mOL3td3BV16N21eCitPnG97trNynxWS >4r/VNdbyIq4TF5EYvcFtlrm1TnlxGykoEQ7mB0Ntj6aqgIUpEIELYbEwgf6j95UD >l3slpaqpZftMkgOJaqevIesus6fIWr5Nxkd18a++Ky7Kva4ZmeCeW9r/vMsstcRX >5EOjzvRDjnx7MYh/3Jf3Y7nZki4VnDpKbC+2gcUOzDDnd83fiefjEg== >=QGNi >-----END PGP SIGNATURE----- > >-------------------------------------------------------------- >Andrew Cormack >Head of CERT >UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS > >Phone: 01235 822 302 E-mail: [EMAIL PROTECTED] >Fax: 01235 822 398 > >--- End Forwarded Message --- > > >-- > >Ian > >[EMAIL PROTECTED] > >Home page > >http://www.kcl.ac.uk/kis/support/cit//fortran/ > >comp-fortran-90 home page > >http://www.jiscmail.ac.uk/lists/comp-fortran-90.html > > > > > > > __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
