[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Re: IIS Worm
- To: <ukha_d@xxxxxxx>
- Subject: RE: Re: IIS Worm
- From: "Graham Howe" <graham@xxxxxxx>
- Date: Wed, 19 Sep 2001 22:13:20 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
I have no AV software on the machine unfortunately. The system.ini file has
no 'Shell' line at all, but then this is an NT4 system and the one I have
at
home is the same. I have searched the registry for LanMan and it doesn't
exist as a part of a key at all. I also searched the registry for
dontrunold
and that was not found either. I have searched inside every file (showing
all hidden) for the text in the worm and found nothing. As far as I can
tell
my machine is completely clean, so I am convinced that the two problems
that
remain are due to registry settings that have been manipulated by the worm
or altered by me during attempts to clean up the damage.
Graham
> -----Original Message-----
> From: Mark Hetherington (egroups)
> [mailto:mark.egroups@xxxxxxx]
> Sent: 19 September 2001 21:51
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> Ensure that Explorer is set to display all files and not hide
> extensions.
> The virus attempts to hide by hiding various file types.
>
> Assuming you have AV software installed and are happy with
> it's integrity,
> scan and repair *all* files. Leave no file untouched by the
> scanner. Reboot.
> Repeat this until the scanner comes back clean. It may take a
> number of scan
> reboot sequences to clean the system completely. This is
> quite a tenacious
> virus.
>
> At this point, check system.ini again and ensure the Shell =
> explorer line
> has not been compromised during the system clean with the
> load.exe -dontrunold addition.
>
> Only now should you try removing shares since until this
> point, they will be
> merely restored after reboot.
>
> If you continue to have problems with shares after you are
> sure the system
> is clean, check the following registry keys:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$-Z$]
>
> This is where the worm installs it's shares.
>
> Shout up if nothing there is any help and I will investigate
> further. Trying
> to "damage" a machine here without actually infecting to
> reproduce some of
> the problems you are having so might have some more ideas
> soon, otherwise I
> might have to infect it and watch what it does to the system
> in more depth
> :)
>
> Mark.
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>
Home |
Main Index |
Thread Index
|