[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Re: IIS Worm
- To: ukha_d@xxxxxxx
- Subject: Re: IIS Worm
- From: galeforce9@xxxxxxx
- Date: Wed, 19 Sep 2001 16:55:41 -0000
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
Hi All
If the shares keep coming back the virus is still active !
I got hit by it today on an ME machine with IE5.5 but no service
pack. Anyone reading this using IE5.5 and no service pack I STRONGLY
recommend putting service pack 2 on ASAP.
I had the same thing, here is what I did and it seems to have gone
for good now !
edit the shell line in system.ini to read just
shell - explorer.exe
delete the contents of
wininit.ini
delete all .eml files
(I do not use them if you do then act accordingly)
open a DOS shell and goto c:\windows\system
delete riched20.dll
this is a hidden system file
also delete load.exe
also a hidden system file
search for anymore occurances of either riched20.dll and load.exe and
delete if found.
remove shares
recheck system.ini and wininit.ini for re infection whilst you have
been working.
re-boot.
your machine should now be clear.
I hope this helps, it has cleared my machine but be advised delete
files at your own risk!
Ian
--- In ukha_d@y..., "Graham Howe" <graham@s...> wrote:
> >
> > Look in Tools -> Internet Options -> Connection. Make sure
that
IE is
> > not trying to use some mythical DUN to connect.
> >
> No DUN settings at all (never have been as the server never had a
modem on
> it)
>
> > In the same place, check any proxy settings are valid. Try
turning
> > the proxy off completely in case it just happens to be
temporarily
> > unavailable.
> >
> No proxy settings either
>
> > If Connection Wizard is missing files, it seems that the IE 5.5
> > installation may be compromised. I suggest going back to IE 6
since
> > it should install appropriate files for the IE 6 connection
wizard
> > assuming you downloaded the appropriate files for it. For a LAN
> > connection it is as you say pretty pointless anyway other than it
> > selecting LAN as the routing mechanism which can be acheived
through
> > options.
> >
> Can't go back to 6, it updated online and files were not
downloaded. I am
> now trying to copy across a complete set of windows update files to
> reinstall IE5. Problem is this is a lot of data and going via a slow
> pcAnywhere link!
>
> > Is IE reporting any error messages?
> >
> No, other than it eventually fails to find the page.
>
> > Try browsing to the local machine. You should be able to browse
to:
> > http://machinename/dirfromwwwroot/file.htm(l)
> > http://localhost/dirfromwwwroot/file.htm(l)
> > http://127.0.0.1/dirfromwwwroot/file.htm(l)
> > http://yourstaticip/dirfromwwwroot/file.htm(l)
> >
>
> It says page can not be displayed, which is as expected as web
server is
> disabled until I am sure everything is secure! However it did go
straight to
> the page, so problem seems to be around the routing rather than IE.
>
> > The path and filename is optional but you will likely get
> > an "unauthorised" response if there is nothing
appropriate in the
> > root of wwwroot for the local host to display.
> >
> > This will help decide whether it is merely routing of some form
or a
> > problem with the IE installation.
> >
> > BTW on a security note while you are checking this, if the above
> > reports a directory list when using not path or filename, you
will
> > need to disable directory browsing from the IIS Management
Console on
> > the wwwroot tree.
> >
> > HTH.
> >
> > Mark.
> >
> BTW for problem 1 I had turned off all shares manually but the keep
coming
> back every time I reboot.
>
> Graham
Home |
Main Index |
Thread Index
|