The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: RE: OnDigital Signal Breakup...


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IIS Worm


  • To: ukha_d@xxxxxxx
  • Subject: Re: IIS Worm
  • From: galeforce9@xxxxxxx
  • Date: Wed, 19 Sep 2001 16:55:41 -0000
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

Hi All
If the shares keep coming back the virus is still active !

I got hit by it today on an ME machine with IE5.5 but no service
pack. Anyone reading this using IE5.5 and no service pack I STRONGLY
recommend putting service pack 2 on ASAP.

I had the same thing, here is what I did and it seems to have gone
for good now !

edit the shell line in system.ini to read just
shell - explorer.exe

delete the contents of
wininit.ini

delete all .eml files
(I do not use them if you do then act accordingly)

open a DOS shell and goto c:\windows\system
delete riched20.dll
this is a hidden system file
also delete load.exe
also a hidden system file

search for anymore occurances of either riched20.dll and load.exe and
delete if found.

remove shares

recheck system.ini and wininit.ini for re infection whilst you have
been working.

re-boot.

your machine should now be clear.

I hope this helps, it has cleared my machine but be advised delete
files at your own risk!

Ian




--- In ukha_d@y..., "Graham Howe" <graham@s...> wrote:
> >
> > Look in Tools -> Internet Options -> Connection. Make sure
that
IE is
> > not trying to use some mythical DUN to connect.
> >
> No DUN settings at all (never have been as the server never had a
modem on
> it)
>
> > In the same place, check any proxy settings are valid. Try
turning
> > the proxy off completely in case it just happens to be
temporarily
> > unavailable.
> >
> No proxy settings either
>
> > If Connection Wizard is missing files, it seems that the IE 5.5
> > installation may be compromised. I suggest going back to IE 6
since
> > it should install appropriate files for the IE 6 connection
wizard
> > assuming you downloaded the appropriate files for it. For a LAN
> > connection it is as you say pretty pointless anyway other than it
> > selecting LAN as the routing mechanism which can be acheived
through
> > options.
> >
> Can't go back to 6, it updated online and files were not
downloaded. I am
> now trying to copy across a complete set of windows update files to
> reinstall IE5. Problem is this is a lot of data and going via a slow
> pcAnywhere link!
>
> > Is IE reporting any error messages?
> >
> No, other than it eventually fails to find the page.
>
> > Try browsing to the local machine. You should be able to browse
to:
> > http://machinename/dirfromwwwroot/file.htm(l)
> > http://localhost/dirfromwwwroot/file.htm(l)
> > http://127.0.0.1/dirfromwwwroot/file.htm(l)
> > http://yourstaticip/dirfromwwwroot/file.htm(l)
> >
>
> It says page can not be displayed, which is as expected as web
server is
> disabled until I am sure everything is secure! However it did go
straight to
> the page, so problem seems to be around the routing rather than IE.
>
> > The path and filename is optional but you will likely get
> > an "unauthorised" response if there is nothing
appropriate in the
> > root of wwwroot for the local host to display.
> >
> > This will help decide whether it is merely routing of some form
or a
> > problem with the IE installation.
> >
> > BTW on a security note while you are checking this, if the above
> > reports a directory list when using not path or filename, you
will
> > need to disable directory browsing from the IIS Management
Console on
> > the wwwroot tree.
> >
> > HTH.
> >
> > Mark.
> >
> BTW for problem 1 I had turned off all shares manually but the keep
coming
> back every time I reboot.
>
> Graham



Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.