See if this link can help or at least point you to a site that can www.sophos.com/virusinfo/analyses/w32nimdaa.html .

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

Also check out these links: www.cert.org/advisories/CA-2001-26.html ; and www.cert.org/tech_tips/win-UNIX-system_compromise.html .

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

When I hit the "Site Policies" link a few minutes ago, I got this virus: W32.Nimda.A@mm(html).  Since I have an updated Norton AV, I am clean.  I sent a message to the "feedback" area, but I thought I would post this here, too, just in case the "feedback" e-mail is only read once per day.

I have notified the Techumseh group of this problem.

This one is nasty to the core.  It can be spread by simply opening the e-mail and not even running the attached thingy.

When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file.This virus w32.nimda.a@mm

The virus attacks IIS 4 and IIS 5 (Internet Information Server version 4 and 5)

Here is a link on Symantec that explains it well

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

DougP, MCP
 
 Visit my WEB site www.barcodeone.com to see how Bar-codes can help you be more productive

We seemed to get it under control in the end. It seems as though Nortons anti virus doesn't do a good job of cleaning this virus. but it can detect it and quartine only parts of it..  When the virus creates loads of eml files all over the network, nortons is happy to let it do that (yes, we have the latest definition). We found that Mcafees did a great job of tracking down the virus and ridding it from the network.. It doesjn't even allow the virus to make new eml files.

If you have a client with this virus (and don't have mcafees , go into the system.ini (on win98) and you will find that the pc has an extra line in the "shell= explorer.exe" line..  I can't remember what it adds, but just delete the extra bits. then you need to check the riched20.dll file on the maching and make sure that it is the original (look at modified date). If it has been modified by the virus, then you should copy an original of it on to the PC (in windows\system folder)..  Delete all *.eml files that the virus has created on the network (look at the date, and also the size will be the same for all infected files..  After that I set up 1 share on a server and enabled file creation auditiing on it, that way, we could see which users were writing the files (ie, who had the virus still) and then go to their pc's and clean them..    Hope this helps anyone who is struggling with this virus.

I think the reason we got hit quite badly with this is because the virus got to our network before the latest definition was applied to the network

MD

pirogue,

Thank you for letting us know so promptly that our site was having a problem.  The problem has been fixed.

Our Technical Director Doug Trocino and I are just perplexed what motivates some to be so destructive.  It doesn't make any sense.

Thanks again.  It's having nice members like you and others who watch out for us that keep this site up and growing.  

Dave Murphy, CEO
Tek-Tips Forums
http://www.tek-tips.com

After reading through many descriptions of this virus, I am confused on a few points that maybe someone can clear up.  

First, people can get the virus by just browsing to an infected web page using IE 5 or 5.5, correct?  What about IE 6 or IE 4??  Also, microsoft's site says that ie 5.01 sp1 and ie 5.5 sp1 are vulnerable, but what if the service pack is not installed?  We have a network where a wide variety of ie versions are used, so basically I'm trying to figure out which machines need my attention right away.

Also, as I understand it, if you have the preview pane turned on in outlook 2000, it can automatically download the virus.  Outlook 97 doesn't have a 'preview pane', but it does have an 'auto preview' that displays the first few lines of the message.  Does having this on make you vulnerable?

Thanks for the help

Mike Rohde
"I don't have a god complex, god has a me complex!"

Also, I assume Outlook express 5 is affected by this.  What about 6?

Mike Rohde
"I don't have a god complex, god has a me complex!"

Has anyone else have the virus within their networks? This think is causing havok on ours. Good thing I don't need an NT server to do my job. AS400s are immune to this wave.

Mike Wills
RPG Programmer (but learning Java)

"I am bad at math because God forgot to include math.h into my program!"

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

If I read bulletin MS01-027 correctly, only IE 5.01 and 5.5 (pre SP2) are vulneriable. IE 5.5 SP2 and IE6 are supposed to be fixed. See:
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp


Also Security Focus has issued  more information in a PDF.
http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf

I also notice that Sophos, Trend Micro, and Symantec have issued clean-up programs. See their sites form more info.

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

It looks like it got our ISP again
No e-mails, No WEB sites

DougP, MCP
 
 Visit my WEB site www.barcodeone.com to see how Bar-codes can help you be more productive

We got hit with W32/NIMDA@MM on an NT & Oracle 7.3.4 server yesterday.   I notified the admin there and he said he would look into it.   He found something that Oracle 7.3.4 had a problem with NT service pack 6 and is requesting more info.   I am currently in the process of cleaning this machine.   Any other Oracle servers that have been hit and problems you discovered?

Terry M. Hoey

I have installed IE 5.0 SP2 on all PCs here.

Does this mean that it is OK [in Outlook 2000] to have the preview pane on? Or should I be telling users to diasble this function?

Thanks