The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: RE: ** Automate Home - New Website **


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re: IIS Worm


  • To: <ukha_d@xxxxxxx>
  • Subject: RE: Re: IIS Worm
  • From: "Graham Howe" <graham@xxxxxxx>
  • Date: Wed, 19 Sep 2001 22:13:20 +0100
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

I have no AV software on the machine unfortunately. The system.ini file has
no 'Shell' line at all, but then this is an NT4 system and the one I have
at
home is the same. I have searched the registry for LanMan and it doesn't
exist as a part of a key at all. I also searched the registry for
dontrunold
and that was not found either. I have searched inside every file (showing
all hidden) for the text in the worm and found nothing. As far as I can
tell
my machine is completely clean, so I am convinced that the two problems
that
remain are due to registry settings that have been manipulated by the worm
or altered by me during attempts to clean up the damage.

Graham

> -----Original Message-----
> From: Mark Hetherington (egroups)
> [mailto:mark.egroups@xxxxxxx]
> Sent: 19 September 2001 21:51
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> Ensure that Explorer is set to display all files and not hide
> extensions.
> The virus attempts to hide by hiding various file types.
>
> Assuming you have AV software installed and are happy with
> it's integrity,
> scan and repair *all* files. Leave no file untouched by the
> scanner. Reboot.
> Repeat this until the scanner comes back clean. It may take a
> number of scan
> reboot sequences to clean the system completely. This is
> quite a tenacious
> virus.
>
> At this point, check system.ini again and ensure the Shell =
> explorer line
> has not been compromised during the system clean with the
> load.exe -dontrunold addition.
>
> Only now should you try removing shares since until this
> point, they will be
> merely restored after reboot.
>
> If you continue to have problems with shares after you are
> sure the system
> is clean, check the following registry keys:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$-Z$]
>
> This is where the worm installs it's shares.
>
> Shout up if nothing there is any help and I will investigate
> further. Trying
> to "damage" a machine here without actually infecting to
> reproduce some of
> the problems you are having so might have some more ideas
> soon, otherwise I
> might have to infect it and watch what it does to the system
> in more depth
> :)
>
> Mark.
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>



Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.