[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Re: IIS Worm
- To: <ukha_d@xxxxxxx>
- Subject: RE: Re: IIS Worm
- From: "Mark Hetherington \(egroups\)" <mark.egroups@xxxxxxx>
- Date: Wed, 19 Sep 2001 21:51:27 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
Ensure that Explorer is set to display all files and not hide extensions.
The virus attempts to hide by hiding various file types.
Assuming you have AV software installed and are happy with it's integrity,
scan and repair *all* files. Leave no file untouched by the scanner.
Reboot.
Repeat this until the scanner comes back clean. It may take a number of
scan
reboot sequences to clean the system completely. This is quite a tenacious
virus.
At this point, check system.ini again and ensure the Shell = explorer line
has not been compromised during the system clean with the
load.exe -dontrunold addition.
Only now should you try removing shares since until this point, they will
be
merely restored after reboot.
If you continue to have problems with shares after you are sure the system
is clean, check the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$-Z$]
This is where the worm installs it's shares.
Shout up if nothing there is any help and I will investigate further.
Trying
to "damage" a machine here without actually infecting to
reproduce some of
the problems you are having so might have some more ideas soon, otherwise I
might have to infect it and watch what it does to the system in more depth
:)
Mark.
For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Home |
Main Index |
Thread Index
|