RE: nimda virus changes on me
A late updated analysis of nimda reports that it infects exe files in memory and on the hard drive of the infected machine. I don't think anyone has a complete breakdown of the damage this worm does as of yet. This thing makes the Morris worm and code red look like kindergarten stuff. John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 ...the words that I remember from my childhood still are true, that there are none so blind as those who will not see --The Moody Blues (I know you're out there) -Original Message- From: Ron Jameson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 12:57 PM To: Exchange Discussions Subject: nimda virus changes on me Well, I just put in a 24 hour shift to patch the ol' web, email, main and terminal servers in one form or another and clean up 30 workstations. Was a little too late in the blocking of all .exe files on the sybari but I think this one entered thru the front web door on a client PC hitting an infected web site. Odd - two of the PC's out of the 30 were REALLY infected so as I could not repair. I need to format these boxes. Has anyone seen this virus change or morph into other executables other that the noted ones (riched20.dll, readme.exe, load.exe, modified system.ini, plus several other windows programs)? Regards, Ron Jameson _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: nimda virus changes on me
Maybe it's just me, but, if your servers were infected I would rebuild them as a matter of principle. You are only cleaning up the symptoms and closing the hole after someone has already been in and touched you. The only way that I know of to be assured of having truly cleaned the system is to start fresh with all appropriate patches and then reinstall programs and data. Anyone have any comments? Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax:(360) 759-6001 -Original Message- From: Ron Jameson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 9:57 AM To: Powell, Ken Subject: nimda virus changes on me Well, I just put in a 24 hour shift to patch the ol' web, email, main and terminal servers in one form or another and clean up 30 workstations. Was a little too late in the blocking of all .exe files on the sybari but I think this one entered thru the front web door on a client PC hitting an infected web site. Odd - two of the PC's out of the 30 were REALLY infected so as I could not repair. I need to format these boxes. Has anyone seen this virus change or morph into other executables other that the noted ones (riched20.dll, readme.exe, load.exe, modified system.ini, plus several other windows programs)? Regards, Ron Jameson _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: nimda virus changes on me
When I scanned one of our servers with NAV, from a boot floppy it was finding a lot of EXE's that it said was infected with NIMDA. The last folder I saw that had several infected EXE's was Program File\Outlook Express It could not clean these, they were different file sizes. I did not want to delete these files... Still looking at it. We were going to replace this server anyway. Also got our proxy server - I already had a replacement for it setup. Just not online yet. Barry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Jameson Sent: Wednesday, September 19, 2001 11:57 AM To: Exchange Discussions Subject: nimda virus changes on me Well, I just put in a 24 hour shift to patch the ol' web, email, main and terminal servers in one form or another and clean up 30 workstations. Was a little too late in the blocking of all .exe files on the sybari but I think this one entered thru the front web door on a client PC hitting an infected web site. Odd - two of the PC's out of the 30 were REALLY infected so as I could not repair. I need to format these boxes. Has anyone seen this virus change or morph into other executables other that the noted ones (riched20.dll, readme.exe, load.exe, modified system.ini, plus several other windows programs)? Regards, Ron Jameson _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
