The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Virus

Brian,

this should answer all your questions:
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@xxxxxxx

Justin

----- Original Message -----
From: "Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>
To: <ukha_d@xxxxxxx>
Sent: Sunday, September 23, 2001 12:13 PM
Subject: RE: [ukha_d] Re: Virus


> Forgot to mention, I also TFTP asking but have disallowed it as I do
not
> know what it is!
>
> Also can anyone tell me what the following are for in my firewall:-
>
> NetBT Datagram
> NetBT Session
> Outgoing ICMP Echo Request
> Trivial File Transfer Protocol App
> MMC.EXE
>
> All of these are blocked at the moment, I figure if nothing complains
It
> cannot be used?
> The MMC.EXE was giving me a headache the other day as it would not
stop!
is
> this to be trusted?
>
> Is there a website that lists what should be allowed in/out of a
system? I
> know it will vary between PC's depending on what programs are
installed
but
> I am not sure what most things "do"
>
> B.
>
> > -----Original Message-----
> > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx]
> > Sent: 23 September 2001 12:04
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Re: Virus
> >
> >
> > It seems I have not got rid of this virus as my checker is still
reporting
> > it's presence!
> >
> > It says there are more *.eml's but if I do a search I cannot find
any!
> >
> > I would be grateful of any assistance please,
> >
> > TIA,
> >
> > B.
> >
> > > -----Original Message-----
> > > From: John McManus [mailto:john.mcmanus@xxxxxxx]
> > > Sent: 23 September 2001 11:27
> > > To: ukha_d@xxxxxxx
> > > Subject: Re: [ukha_d] Re: Virus
> > >
> > >
> > > Having poked into things a bit more...
> > >
> > > Looked at the IIS log files on the server (w2k), I saw dodgy
URLs
being
> > > entered for my site.  These then invoked root.exe (which had
been
> > > left over
> > > from a sadm virus that was not totally cleaned).  A couple
of
> > > seconds after
> > > the external computer tried to fire up the IIS page, TFTP
was
> > > invoked to the
> > > same address as the external browser (this was blocked by
the
firewall).
> > >
> > > Went to the Microsoft site & downloaded the
'coderedcleanup.exe' which
> > > removed the dodgy root.exe and tidied up a couple of other
IIS things.
> > >
> > > Everything seems to be fine... for the moment!
> > >
> > > Lessons learnt:
> > > It is valuable to have defence in depth - firewalls, virus
> > > guards, log files
> > > for review.
> > > Backups are useful... but can be tricky to use if you are
not sure
when
> > > exactly you were infected with the virus.
> > > If you are running IIS, it pays to review your log files
regularly.
> > > hotfixchecker from Microsoft is useful to ensure you have
all the
> > > appropriate patches.
> > > The time lost to virus attacks / fixes is a real PITA in a
domestic
> > > environment.
> > >
> > > ----- Original Message -----
> > > From: <steve@xxxxxxx>
> > > To: <ukha_d@xxxxxxx>
> > > Sent: Sunday, September 23, 2001 10:43 AM
> > > Subject: [ukha_d] Re: Virus
> > >
> > >
> > > > If you are in win2k just look in taskman and see if
anythingunusual
> > > > is running.
> > > > if there is strange stuff happening, end task it, then
find it in
you
> > > > computer and delete  it.
> > > >
> > > > if your on win98/95 and i think ME.
> > > > you cant see "all" running processes, so i
have a neat little
utility
> > > > somewhere i made in VB which alows you to list ALL
running processes
> > > > and kill any of them, i think if i can find it, i will
add, a kill
> > > > and delete button aswell, or a kill and move button.
> > > >
> > > > interested?
> > > >
> > > > HTH steve
> > > > --- In ukha_d@y..., "John McManus"
<john.mcmanus@b...> wrote:
> > > > > I am in a difficult position as my virus scanner
(NAV2001) does
not
> > > > show
> > > > > that I am infected, but the Zone Alarm Pro
firewall suddenly
> > > > (Wednesday)
> > > > > started asking if I want to allow TFTP (trivial
file transfer
> > > > protocol) to
> > > > > connect to the internet.  I have also run a couple
of the
'cleaner'
> > > > programs
> > > > > for Nimda virus... they too say I am not infected.
> > > > >
> > > > > Since I am not aware of any apps on the server
that need to use
> > > > TFTP (and
> > > > > the addresses that it is going to are other BT
Internet ones), I
> > > > guess I
> > > > > need to assume that I am infected with something
and reformat /
> > > > > re-install... a real PITA.
> > > > >
> > > > > Any thoughts would be appreciated.
> > > > > ----- Original Message -----
> > > > > From: "Brian G. Reynolds"
<brian.g.reynolds@n...>
> > > > > To: <ukha_d@y...>
> > > > > Sent: Saturday, September 22, 2001 7:42 PM
> > > > > Subject: RE: [ukha_d] Virus
> > > > >
> > > > >
> > > > > > Thanks Keith,
> > > > > >
> > > > > > I am using Norton AntiVirus 2001 recently
bought, I used its own
> > > > virus
> > > > > scan
> > > > > > routine, is there a better way?
> > > > > >
> > > > > > All the infected files were deleted.
> > > > > > I do use it's auto update and do it manually
as well.
> > > > > >
> > > > > > Thanks for the info.
> > > > > >
> > > > > > B.
> > > > > > > -----Original Message-----
> > > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > > Sent: 22 September 2001 19:00
> > > > > > > To: ukha_d@y...
> > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > >
> > > > > > >
> > > > > > > Thats probably it.
> > > > > > >
> > > > > > > How did you run yor virus scan?
> > > > > > > We ran it Windows "Find Files"
containing the text "whatever
> > > > you care to
> > > > > > > put" so that it was forced to open
everyfile on the machine,
at
> > > > which
> > > > > time
> > > > > > > the AV software should find the infected
files.
> > > > > > >
> > > > > > > Make sure you keep your anti virus
software upto date.
> > > > > > >
> > > > > > > At work we use VirusScan TC from McAfee.
> > > > > > > The Dat file was at version 4158 at the
beginning of the week
> > > > and by
> > > > > > > yesterday had reached 4162.
> > > > > > >
> > > > > > > At home I use eTrust EZ Antivirus. Its
Dat file has gone from
> > > > > > > 1491 on Monday
> > > > > > > to 1512 yesterday.
> > > > > > >
> > > > > > > One of the worst things about Nimda is
that YOU dont have to
do
> > > > > > > anything to
> > > > > > > catch it. I have no doubt that there
will be several more
> > > > viruses
> > > > > > > that mimic
> > > > > > > the HTML method employed by Nimda,
namely using Javascript to
> > > > Pop-Up a
> > > > > > > window at coordinates that wont show on
the screen and then
try
> > > > to do
> > > > > > > malicious things to your machine.
Disabling Javascript would
> > > > stop that
> > > > > but
> > > > > > > would also stop many reputable web pages
from working and I
> > > > > > > believe most, if
> > > > > > > not all eCommerce sites would be less
than useless if you
didnt
> > > > support
> > > > > > > Javascript.
> > > > > > >
> > > > > > > Once again a few idiots spoiling things
for the majority :-(
> > > > > > >
> > > > > > > Keith
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > > Sent: 22 September 2001 15:33
> > > > > > > > To: ukha_d@y...
> > > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > > >
> > > > > > > >
> > > > > > > > Thanks Keith, I should have known
that :-(
> > > > > > > >
> > > > > > > > All .eml deleted.
> > > > > > > >
> > > > > > > > I have run the virus scan again and
it does not find any
mere
> > > > > > > > does that mean
> > > > > > > > all is ok again?
> > > > > > > > Never had a virus before not sure
when to trust it again!
> > > > > > > >
> > > > > > > > I have already read the threads, I
have re-SP2'd and another
> > > > MS patch
> > > > > > > > q301625_w2k_sp3_x86_en.exe
> > > > > > > > Anything else or can I now breathe
again!!
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > B.
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > > > > Sent: 22 September 2001 15:07
> > > > > > > > > To: ukha_d@y...
> > > > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > *.eml are email messages but
the ones that hyou have found
> > > > > > > will be loads
> > > > > > > > > with the same file size and
datestamp.
> > > > > > > > >
> > > > > > > > > THEY ARE INFECTED WITH THE
VIRUS ..... DELETE THEM.
> > > > > > > > >
> > > > > > > > > It also puts some codew in any
HTML or ASP files it finds
> > > > that
> > > > > > > > will infect
> > > > > > > > > any other PC viewing the
pages.
> > > > > > > > >
> > > > > > > > > Read the previous threads from
when Graham was battling to
> > > > > > > remove Nimda.
> > > > > > > > >
> > > > > > > > > Keith
> > > > > > > > >
> > > > > > > > > > -----Original
Message-----
> > > > > > > > > > From: Brian G. Reynolds
[mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > > > > Sent: 22 September 2001
14:04
> > > > > > > > > > To: UKHA Group
> > > > > > > > > > Subject: [ukha_d] Virus
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > What are .eml files?
> > > > > > > > > > I assume something to do
with the web/html/IE?
> > > > > > > > > > It seems that these were
the most attacked, I have
> > > > > > > > > "quarantined" them
but
> > > > > > > > > > not sure if I can delete
them?
> > > > > > > > > >
> > > > > > > > > > Another PC has also been
infected but this time is seems
> > > > mostly
> > > > > > > > > > Psion files
> > > > > > > > > > so I have deleted them!
subtle.
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > >
> > > > > > > > > > B.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > > > > Post message: ukha_d@y...
> > > > > > > > > > Subscribe: 
ukha_d-subscribe@y...
> > > > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > > > List owner: 
ukha_d-owner@y...
> > > > > > > > > >
> > > > > > > > > > Your use of Yahoo! Groups
is subject to
> > > > > > > > http://docs.yahoo.com/info/terms/
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > > Post message: ukha_d@y...
> > > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > List owner:  ukha_d-owner@y...
> > > > > > > >
> > > > > > > > Your use of Yahoo! Groups is
subject to
> > > > > > http://docs.yahoo.com/info/terms/
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > Post message: ukha_d@y...
> > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > > List owner:  ukha_d-owner@y...
> > > > > > >
> > > > > > > Your use of Yahoo! Groups is subject to
> > > > > http://docs.yahoo.com/info/terms/
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > Post message: ukha_d@y...
> > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > List owner:  ukha_d-owner@y...
> > > > > >
> > > > > > Your use of Yahoo! Groups is subject to
> > > > http://docs.yahoo.com/info/terms/
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > Post message: ukha_d@y...
> > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > List owner:  ukha_d-owner@y...
> > > > > >
> > > > > > Your use of Yahoo! Groups is subject to
> > > > http://docs.yahoo.com/info/terms/
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > > For more information: http://www.automatedhome.co.uk
> > > > Post message: ukha_d@xxxxxxx
> > > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > > List owner:  ukha_d-owner@xxxxxxx
> > > >
> > > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> > >
> > >
> >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> >
> >
> >
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
  • References:
    • RE: Re: Virus
      • From: "Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>
Home | Main Index | Thread Index
Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.