The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: Re: Bloody BT!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re: IIS Worm


  • To: <ukha_d@xxxxxxx>
  • Subject: RE: Re: IIS Worm
  • From: "Mark Hetherington \(egroups\)" <mark.egroups@xxxxxxx>
  • Date: Wed, 19 Sep 2001 21:51:27 +0100
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

Ensure that Explorer is set to display all files and not hide extensions.
The virus attempts to hide by hiding various file types.

Assuming you have AV software installed and are happy with it's integrity,
scan and repair *all* files. Leave no file untouched by the scanner.
Reboot.
Repeat this until the scanner comes back clean. It may take a number of
scan
reboot sequences to clean the system completely. This is quite a tenacious
virus.

At this point, check system.ini again and ensure the Shell = explorer line
has not been compromised during the system clean with the
load.exe -dontrunold addition.

Only now should you try removing shares since until this point, they will
be
merely restored after reboot.

If you continue to have problems with shares after you are sure the system
is clean, check the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$-Z$]

This is where the worm installs it's shares.

Shout up if nothing there is any help and I will investigate further.
Trying
to "damage" a machine here without actually infecting to
reproduce some of
the problems you are having so might have some more ideas soon, otherwise I
might have to infect it and watch what it does to the system in more depth
:)

Mark.


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/


Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.