Symantec Security Response - W32.Nimda.D@mmSymantec Security Response
http://securityresponse.symantec.com
W32.Nimda.D@mm
Discovered on: October 29, 2001
Last Updated on: October 29, 2001 at 07:00:35 AM PST
W32.Nimda.D@mm is an new version of W32.Nimda.A@mm that contains
Symantec Security Response - W32.Nimda.D@mmSymantec Security Response
http://securityresponse.symantec.com
W32.Nimda.D@mm
Discovered on: October 29, 2001
Last Updated on: October 29, 2001 at 07:00:35 AM PST
W32.Nimda.D@mm is an new version of W32.Nimda.A@mm that contains
We are all blocking .EXE files like we are supposed tooright?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Greatlakes,
Reebdnes
Sent: Monday, October 29, 2001 10:34 AM
To: Exchange Discussions
Subject: nimda d??
Symantec Security Response - W32
Discussions
Subject: RE: nimda d??
We are all blocking .EXE files like we are supposed tooright?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Greatlakes,
Reebdnes
Sent: Monday, October 29, 2001 10:34 AM
To: Exchange Discussions
Subject: nimda d
: RE: nimda d??
Uh huh, yep. And many others from the list you provided. Thanks again
for that.
Bill Lambert, Mcp, Mcse
Endoxy Healthcare
847-941-9206
[EMAIL PROTECTED]
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 29, 2001 1:43 PM
I think one of the requirements for getting your name in the FAQ is that you
actually *have* an Exchange Server...
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 29, 2001 3:27 PM
To: Exchange Discussions
Subject: RE: nimda d??
Yea. I want
lmao
-Original Message-
From: Andy David [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 29, 2001 12:44 PM
To: Exchange Discussions
Subject: RE: nimda d??
I think one of the requirements for getting your name in the FAQ is that you
actually *have* an Exchange Server
*sobbing*
That was uncalled for!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Andy David
Sent: Monday, October 29, 2001 12:44 PM
To: Exchange Discussions
Subject: RE: nimda d??
I think one of the requirements for getting your name in the FAQ
Yes I am!
I keep my sKiLLs sharpened here.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Barry Patterson
Sent: Monday, October 29, 2001 12:48 PM
To: Exchange Discussions
Subject: RE: nimda d??
LOL
I think he's working on it - right Martin
: Monday, October 29, 2001 3:49 PM
To: Exchange Discussions
Subject: RE: nimda d??
Yes I am!
I keep my sKiLLs sharpened here.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Barry Patterson
Sent: Monday, October 29, 2001 12:48 PM
To: Exchange Discussions
FAQ 5.1
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Posted At: Monday, October 29, 2001 02:27 PM
Posted To: MSExchange Mailing List
Conversation: nimda d??
Subject: RE: nimda d??
Yea. I want that in the FAQ.
Next to the Ed Crowley Server Move, I want
Did I ever tell you about the beautiful Exch server I used to have
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Dillon, Jeff
Sent: Monday, October 29, 2001 12:58 PM
To: Exchange Discussions
Subject: RE: nimda d??
Once it's up, Martin will have
We used the nimda removal tool at my location. It created changed the
permissions on all our shares resulting in over 400 users not being able
to access shared locations on our servers. Having the correct Norton
Antivirus definitions helped us more than the removal tool.
-Original Message
I had the same problem, but that was with the first release of the tool. Now
the latest has the option of turning the shares off...
-Original Message-
From: Steven Conley [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 2:27 PM
To: Exchange Discussions
Subject: RE: Nimda
: Nimda
NOT SURE ABOUT THAT HAVENT NOTICED IT BUT I DO KNOW THAT IT ADDS A LINE TO
THE SHELL=EXPLORER.EXE LINE WITHIN THE SYSTEM.INI FILE. ALSO ADDS LINES TO A
FILE CALLED WINIT.INI AND YOU MUST DELETE ALL OF THOSE LINES AS WELL. AFTER
THAT YOU SHOULD DO A SEARCH FOR ALL *.EML FILES AND DELETE THEM
Here Michèle:
AOLUser2mime.exe
Barry
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 27, 2001 9:41 AM
To: Exchange Discussions
Subject: RE: Nimda
Ow! My eyes! My eyes!!
-Michèle
Immigration site: http
, 2001 7:56 AM
To: Exchange Discussions
Subject: RE: Nimda
Sure I make my living supporting Microsoft's software too but you do have to
admit that there are some features in outlook and many other Microsoft
products that seemed like a good thing at the time but only make our lives
entertaining
:56 AM
To: Exchange Discussions
Subject: RE: Nimda
Sure I make my living supporting Microsoft's software too but you do have to
admit that there are some features in outlook and many other Microsoft
products that seemed like a good thing at the time but only make our lives
entertaining. Personally
-Original Message-
From: Ed Crowley [mailto:[EMAIL PROTECTED]]
Sent: 21 September 2001 08:45
To: Exchange Discussions
Subject: RE: Nimda
Exactly. We all KNOW it's bad! (Tongue firmly in cheek)
Ed Crowley MCSE+Internet MVP
Tech Consultant
Compaq Computer Corporation (soon to be HP)
All your base
Nimba virus is not yet ready.. only his sequel nimda is out there
Kuminda Chandimith
Sr. Technical Consultant
Ducont.com FZ-LLC
Tel: + 971-4-3913000 Ext 237
Fax: +971-4-3913001
http://www.ducont.com
-Original Message-
From: Ronald Mazzotta [mailto:[EMAIL PROTECTED]]
Sent: 21
To be followed by Kimba the White Lion virus.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kuminda
Chandimith
Sent: Saturday, September 22, 2001 2:50 AM
To: Exchange Discussions
Subject: RE: Nimda
Nimba virus is not yet ready.. only his sequel
PM
To: Exchange Discussions
Subject: Nimda Other Viruses - OT
I realize there has been a terrible tragedy, and there are more important
things to worry about than computer viruses, but no one seems to care about
stopping people from creating viruses. After the Love Bug viruses it seems
that I
Subject: RE: Nimda
Well then why work with it.. Why be on this list? Why even
post to it??
We here make our livings based on there software and don't really like
crap comments like that. Go shit in some else's back yard. We
here don't
want to hear your crap.
Period.
Kevinm
While we are on the subject, does anyone know how nimda finds an SMTP host
for it's attempts to propagate itself SMTP? I've read all the reports I can
find, all mention it's internal SMTP engine, but none tell how he finds an
SMTP host to connect
Thanks guys!
Denyse
-Original Message-
From: Bill Grocott [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 4:07 PM
To: Exchange Discussions
Subject: RE: Nimda
Also www.hotel.com and their new site www.hotelbids.com
Bill
-Original Message-
From: John Matteson
Discussions
Subject: RE: Nimda
While we are on the subject, does anyone know how nimda finds an SMTP host
for it's attempts to propagate itself SMTP? I've read all the reports I can
find, all mention it's internal SMTP engine, but none tell how he finds an
SMTP host to connect
Simpler-Webb, Inc. Austin, TX +1-512-322-0071
*
-Original Message-
From: Jeremy Newell [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 9:56 AM
To: Exchange Discussions
Subject: RE: Nimda
Sure I
To: Exchange Discussions
Subject: RE: Nimda
Searched cisco for nimba returned 0 results.
-Original Message-
From: Tom Meunier [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 11:29 AM
To: Exchange Discussions
Subject: RE: Nimda
You asked and answered your own question
Ooo thanks
-Original Message-
From: Randal, Phil [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 11:36 AM
To: Exchange Discussions
Subject: RE: Nimda
Try here:
http://www.cisco.com/warp/public/63/nimda.shtml
Phil
-
Phil Randal
Will (from this list) had sent me this link - he was helping me out on
this issue. He's probably too busy to post this so I thought I would.
Symantec has created a removal tool for the Nimda virus.
http:[EMAIL PROTECTED]
Mike
A late updated analysis of nimda reports that it infects exe files in memory
and on the hard drive of the infected machine. I don't think anyone has a
complete breakdown of the damage this worm does as of yet.
This thing makes the Morris worm and code red look like kindergarten stuff.
John
Did everyone get nailed by Nimda? This list is dead today!
I got eight hits from it last night. Thank god for proper working antivirus
apps!
John
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives
: Thursday, September 20, 2001 7:32 PM
Subject: Nimda
Did everyone get nailed by Nimda? This list is dead today!
I got eight hits from it last night. Thank god for proper working
antivirus
apps!
John
_
List posting FAQ: http
We have not had any come in through email.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip
Sent: Thursday, September 20, 2001 10:50 AM
To: Exchange Discussions
Subject: Re: Nimda
I got none ... guess I don't have any friends
-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:50 PM
To: Exchange Discussions
Subject: RE: Nimda
We have not had any come in through email.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip
Sent
I assume it also forces a lock of the Caps Lock key?
-Original Message-
From: Tener, Richard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:56 PM
To: Exchange Discussions
Subject: RE: Nimda
I GOT NAILED BY IT I WAS AT WORK FOR 36 HOURS STRAIGHT TRYING TO FIGURE OUT
HOW
troubles too. Some people can't get their
Outlook open - not enough system resources. . . We're all up to date
with Virus software for Nimda, but the .eml files are still being created
- but not on every machine. Wierd. How do you find the machine that's
affecting the rest of the network
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:56 PM
To: Exchange Discussions
Subject: RE: Nimda
I assume it also forces a lock of the Caps Lock key?
-Original Message-
From: Tener, Richard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 1:56 PM
To: Exchange
HEY RICHARD!!! TURN OFF YOUR CAPS LOCK!!! WE CAN HEAR YOU JUST
FINE!!!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tener, Richard
Sent: Thursday, September 20, 2001 11:06 AM
To: Exchange Discussions
Subject: RE: Nimda
NOT SURE ABOUT
FROM THE NETWORK THEN UNSHARED ALL THEIR SHARES AND SCANNED THE SERVER.
THIS VIRUS WAS A PAIN IN THE ASS.
-Original Message-
From: Mike Omilian [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 2:06 PM
To: Exchange Discussions
Subject: Re: Nimda
I got nailed too. Not from an e
Yea, we rolled out IE6 to 80 WKS's in about 30 minutes.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Lefkovics,
William
Sent: Thursday, September 20, 2001 10:59 AM
To: Exchange Discussions
Subject: RE: Nimda
Clearly snimda need to apply skcap
Microsoft softwar is bad!
period!
--er
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 11:09 AM
To: Exchange Discussions
Subject: RE: Nimda
Yea, we rolled out IE6 to 80 WKS's in about 30 minutes.
-Original Message-
From
is their a way to remotely tell what IE version a client machine has?
-Original Message-
From: Romero, Eric [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 11:12 AM
To: Exchange Discussions
Subject: RE: Nimda
Microsoft softwar is bad!
period!
--er
-Original Message
Does anyone know of an infected site? I need it for testing purposes.
Thanks,
Denyse
-Original Message-
From: Mike Omilian [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 2:06 PM
To: Exchange Discussions
Subject: Re: Nimda
I got nailed too. Not from an e-mail - I
: RE: Nimda
Microsoft softwar is bad!
period!
--er
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 11:09 AM
To: Exchange Discussions
Subject: RE: Nimda
Yea, we rolled out IE6 to 80 WKS's in about 30 minutes.
-Original Message
: RE: Nimda
Clearly snimda need to apply skcap ecivres to their srevres and
snoitatskrow.
I've taken the blame at our office because a few workstations were still on
IE5.5 with no service pack. Someone visited a website. That's all it took.
William
-Original Message-
From: Tener
So is your spelling
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Romero, Eric
Sent: Thursday, September 20, 2001 11:12 AM
To: Exchange Discussions
Subject: RE: Nimda
Microsoft softwar is bad!
period!
--er
-Original Message-
From: Martin
: Re: Nimda
I got nailed too. Not from an e-mail - I currently block all exe's. We
must have gotten it from an infected web page. I already applied the
patch for Code Red last month but my problem is a little bigger:
I can't log onto the server without getting a Dr Watson error for
explorer.exe
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Romero, Eric
Sent: Thursday, September 20, 2001 11:12 AM
To: Exchange Discussions
Subject: RE: Nimda
Microsoft softwar is bad!
period!
--er
-Original Message-
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday
, that there
are none so blind as those who will not see
--The Moody Blues (I know you're out there)
-Original Message-
From: Huot, Denyse [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 2:08 PM
To: Exchange Discussions
Subject: RE: Nimda
Does anyone know of an infected site? I need
Also www.hotel.com and their new site www.hotelbids.com
Bill
-Original Message-
From: John Matteson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 4:05 PM
To: Exchange Discussions
Subject: RE: Nimda
Yep:
MCS.K12.NY.US
They are infected, as of Tuesday. They may
Nimda - a-nother day that will live in infamy (SP?). I lost our exchange
server and am still trying to fully recover - time to re-think those
disaster prep plansand need to find my 5.5 upgrade -ugh!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf
by:
Http://www.tiggercam.co.uk For all your tigger needs
You 2 can rent this space if you need it.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Paul Done
Sent: Thursday, September 20, 2001 3:08 PM
To: Exchange Discussions
Subject: RE: Nimda
Nimda
Did you restart the NAVEX service after the reg edit? What does the text
file that NAVEX replaces the unauth file say?
John
-Original Message-
From: Orin Rehorst [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 20, 2001 3:44 PM
To: Exchange Discussions
Subject: Nimda fallout
Martinez
Sent: Thursday, September 20, 2001 10:33 AM
To: Exchange Discussions
Subject: Nimda
Did everyone get nailed by Nimda? This list is dead today!
I got eight hits from it last night. Thank god for proper working antivirus
apps!
John
: Thursday, September 20, 2001 11:21 AM
To: Exchange Discussions
Subject: RE: Nimda
Well then why work with it.. Why be on this list? Why even post to it??
We here make our livings based on there software and dont really like
crap comments like that. Go shit in some else's back yard. We here dont
want
Well, I just put in a 24 hour shift to patch the ol' web, email, main and
terminal servers in one form or another and clean up 30 workstations. Was a
little too late in the blocking of all .exe files on the sybari but I think
this one entered thru the front web door on a client PC hitting an
-Original Message-
From: Ron Jameson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 9:57 AM
To: Powell, Ken
Subject: nimda virus changes on me
Well, I just put in a 24 hour shift to patch the ol' web, email, main and
terminal servers in one form or another and clean up 30
When I scanned one of our servers with NAV, from a boot floppy it was
finding a lot of EXE's that it said was infected with NIMDA. The last folder
I saw that had several infected EXE's was Program File\Outlook Express
It could not clean these, they were different file sizes.
I did not want
Ditto!
Michael Semiglia
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 1:37 PM
To: Exchange Discussions
Subject: RE: nimda virus changes on me
Maybe it's just me, but, if your servers were infected I would rebuild them
60 matches
Mail list logo
