RE: Re: Virus

["Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>]

Thanks John and Justin for your help, I am downloading as many patches as I
can find!

B.

> -----Original Message-----
> From: John McManus [mailto:john.mcmanus@xxxxxxx]
> Sent: 23 September 2001 13:27
> To: ukha_d@xxxxxxx
> Subject: Re: [ukha_d] Re: Virus
>
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.
> a@xxxxxxx
> al.tool.html
>
> http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp
> ?VName=PE_
> NIMDA.A
>
> both these sites provide tools to clear up NIMDA...
>
> ----- Original Message -----
> From: "Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>
> To: <ukha_d@xxxxxxx>
> Sent: Sunday, September 23, 2001 12:13 PM
> Subject: RE: [ukha_d] Re: Virus
>
>
> > Forgot to mention, I also TFTP asking but have disallowed it as I
do not
> > know what it is!
> >
> > Also can anyone tell me what the following are for in my
firewall:-
> >
> > NetBT Datagram
> > NetBT Session
> > Outgoing ICMP Echo Request
> > Trivial File Transfer Protocol App
> > MMC.EXE
> >
> > All of these are blocked at the moment, I figure if nothing
complains It
> > cannot be used?
> > The MMC.EXE was giving me a headache the other day as it would
not stop!
> is
> > this to be trusted?
> >
> > Is there a website that lists what should be allowed in/out of
> a system? I
> > know it will vary between PC's depending on what programs are
installed
> but
> > I am not sure what most things "do"
> >
> > B.
> >
> > > -----Original Message-----
> > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx]
> > > Sent: 23 September 2001 12:04
> > > To: ukha_d@xxxxxxx
> > > Subject: RE: [ukha_d] Re: Virus
> > >
> > >
> > > It seems I have not got rid of this virus as my checker is
still
> reporting
> > > it's presence!
> > >
> > > It says there are more *.eml's but if I do a search I cannot
find any!
> > >
> > > I would be grateful of any assistance please,
> > >
> > > TIA,
> > >
> > > B.
> > >
> > > > -----Original Message-----
> > > > From: John McManus [mailto:john.mcmanus@xxxxxxx]
> > > > Sent: 23 September 2001 11:27
> > > > To: ukha_d@xxxxxxx
> > > > Subject: Re: [ukha_d] Re: Virus
> > > >
> > > >
> > > > Having poked into things a bit more...
> > > >
> > > > Looked at the IIS log files on the server (w2k), I saw
dodgy URLs
> being
> > > > entered for my site.  These then invoked root.exe
(which had been
> > > > left over
> > > > from a sadm virus that was not totally cleaned).  A
couple of
> > > > seconds after
> > > > the external computer tried to fire up the IIS page,
TFTP was
> > > > invoked to the
> > > > same address as the external browser (this was blocked
by the
> firewall).
> > > >
> > > > Went to the Microsoft site & downloaded the
> 'coderedcleanup.exe' which
> > > > removed the dodgy root.exe and tidied up a couple of
other
> IIS things.
> > > >
> > > > Everything seems to be fine... for the moment!
> > > >
> > > > Lessons learnt:
> > > > It is valuable to have defence in depth - firewalls,
virus
> > > > guards, log files
> > > > for review.
> > > > Backups are useful... but can be tricky to use if you
are not sure
> when
> > > > exactly you were infected with the virus.
> > > > If you are running IIS, it pays to review your log
files regularly.
> > > > hotfixchecker from Microsoft is useful to ensure you
have all the
> > > > appropriate patches.
> > > > The time lost to virus attacks / fixes is a real PITA
in a domestic
> > > > environment.
> > > >
> > > > ----- Original Message -----
> > > > From: <steve@xxxxxxx>
> > > > To: <ukha_d@xxxxxxx>
> > > > Sent: Sunday, September 23, 2001 10:43 AM
> > > > Subject: [ukha_d] Re: Virus
> > > >
> > > >
> > > > > If you are in win2k just look in taskman and see
if
> anythingunusual
> > > > > is running.
> > > > > if there is strange stuff happening, end task it,
then find it in
> you
> > > > > computer and delete  it.
> > > > >
> > > > > if your on win98/95 and i think ME.
> > > > > you cant see "all" running processes, so
i have a neat little
> utility
> > > > > somewhere i made in VB which alows you to list ALL
> running processes
> > > > > and kill any of them, i think if i can find it, i
will add, a kill
> > > > > and delete button aswell, or a kill and move
button.
> > > > >
> > > > > interested?
> > > > >
> > > > > HTH steve
> > > > > --- In ukha_d@y..., "John McManus"
<john.mcmanus@b...> wrote:
> > > > > > I am in a difficult position as my virus
scanner (NAV2001) does
> not
> > > > > show
> > > > > > that I am infected, but the Zone Alarm Pro
firewall suddenly
> > > > > (Wednesday)
> > > > > > started asking if I want to allow TFTP
(trivial file transfer
> > > > > protocol) to
> > > > > > connect to the internet.  I have also run a
couple of the
> 'cleaner'
> > > > > programs
> > > > > > for Nimda virus... they too say I am not
infected.
> > > > > >
> > > > > > Since I am not aware of any apps on the
server that need to use
> > > > > TFTP (and
> > > > > > the addresses that it is going to are other
BT Internet ones), I
> > > > > guess I
> > > > > > need to assume that I am infected with
something and reformat /
> > > > > > re-install... a real PITA.
> > > > > >
> > > > > > Any thoughts would be appreciated.
> > > > > > ----- Original Message -----
> > > > > > From: "Brian G. Reynolds"
<brian.g.reynolds@n...>
> > > > > > To: <ukha_d@y...>
> > > > > > Sent: Saturday, September 22, 2001 7:42 PM
> > > > > > Subject: RE: [ukha_d] Virus
> > > > > >
> > > > > >
> > > > > > > Thanks Keith,
> > > > > > >
> > > > > > > I am using Norton AntiVirus 2001
recently bought, I
> used its own
> > > > > virus
> > > > > > scan
> > > > > > > routine, is there a better way?
> > > > > > >
> > > > > > > All the infected files were deleted.
> > > > > > > I do use it's auto update and do it
manually as well.
> > > > > > >
> > > > > > > Thanks for the info.
> > > > > > >
> > > > > > > B.
> > > > > > > > -----Original Message-----
> > > > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > > > Sent: 22 September 2001 19:00
> > > > > > > > To: ukha_d@y...
> > > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > > >
> > > > > > > >
> > > > > > > > Thats probably it.
> > > > > > > >
> > > > > > > > How did you run yor virus scan?
> > > > > > > > We ran it Windows "Find
Files" containing the text "whatever
> > > > > you care to
> > > > > > > > put" so that it was forced to
open everyfile on the machine,
> at
> > > > > which
> > > > > > time
> > > > > > > > the AV software should find the
infected files.
> > > > > > > >
> > > > > > > > Make sure you keep your anti virus
software upto date.
> > > > > > > >
> > > > > > > > At work we use VirusScan TC from
McAfee.
> > > > > > > > The Dat file was at version 4158 at
the beginning
> of the week
> > > > > and by
> > > > > > > > yesterday had reached 4162.
> > > > > > > >
> > > > > > > > At home I use eTrust EZ Antivirus.
Its Dat file has
> gone from
> > > > > > > > 1491 on Monday
> > > > > > > > to 1512 yesterday.
> > > > > > > >
> > > > > > > > One of the worst things about Nimda
is that YOU dont have to
> do
> > > > > > > > anything to
> > > > > > > > catch it. I have no doubt that
there will be several more
> > > > > viruses
> > > > > > > > that mimic
> > > > > > > > the HTML method employed by Nimda,
namely using
> Javascript to
> > > > > Pop-Up a
> > > > > > > > window at coordinates that wont
show on the screen and then
> try
> > > > > to do
> > > > > > > > malicious things to your machine.
Disabling Javascript would
> > > > > stop that
> > > > > > but
> > > > > > > > would also stop many reputable web
pages from working and I
> > > > > > > > believe most, if
> > > > > > > > not all eCommerce sites would be
less than useless if you
> didnt
> > > > > support
> > > > > > > > Javascript.
> > > > > > > >
> > > > > > > > Once again a few idiots spoiling
things for the majority :-(
> > > > > > > >
> > > > > > > > Keith
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > > > Sent: 22 September 2001 15:33
> > > > > > > > > To: ukha_d@y...
> > > > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks Keith, I should have
known that :-(
> > > > > > > > >
> > > > > > > > > All .eml deleted.
> > > > > > > > >
> > > > > > > > > I have run the virus scan
again and it does not find any
> mere
> > > > > > > > > does that mean
> > > > > > > > > all is ok again?
> > > > > > > > > Never had a virus before not
sure when to trust it again!
> > > > > > > > >
> > > > > > > > > I have already read the
threads, I have re-SP2'd
> and another
> > > > > MS patch
> > > > > > > > > q301625_w2k_sp3_x86_en.exe
> > > > > > > > > Anything else or can I now
breathe again!!
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > B.
> > > > > > > > >
> > > > > > > > > > -----Original
Message-----
> > > > > > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > > > > > Sent: 22 September 2001
15:07
> > > > > > > > > > To: ukha_d@y...
> > > > > > > > > > Subject: RE: [ukha_d]
Virus
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > *.eml are email messages
but the ones that hyou
> have found
> > > > > > > > will be loads
> > > > > > > > > > with the same file size
and datestamp.
> > > > > > > > > >
> > > > > > > > > > THEY ARE INFECTED WITH
THE VIRUS ..... DELETE THEM.
> > > > > > > > > >
> > > > > > > > > > It also puts some codew
in any HTML or ASP
> files it finds
> > > > > that
> > > > > > > > > will infect
> > > > > > > > > > any other PC viewing the
pages.
> > > > > > > > > >
> > > > > > > > > > Read the previous threads
from when Graham was
> battling to
> > > > > > > > remove Nimda.
> > > > > > > > > >
> > > > > > > > > > Keith
> > > > > > > > > >
> > > > > > > > > > > -----Original
Message-----
> > > > > > > > > > > From: Brian G.
Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > > > > > Sent: 22 September
2001 14:04
> > > > > > > > > > > To: UKHA Group
> > > > > > > > > > > Subject: [ukha_d]
Virus
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > What are .eml files?
> > > > > > > > > > > I assume something
to do with the web/html/IE?
> > > > > > > > > > > It seems that these
were the most attacked, I have
> > > > > > > > > > "quarantined"
them but
> > > > > > > > > > > not sure if I can
delete them?
> > > > > > > > > > >
> > > > > > > > > > > Another PC has also
been infected but this
> time is seems
> > > > > mostly
> > > > > > > > > > > Psion files
> > > > > > > > > > > so I have deleted
them! subtle.
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > B.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > For more
information: http://www.automatedhome.co.uk
> > > > > > > > > > > Post message:
ukha_d@y...
> > > > > > > > > > > Subscribe: 
ukha_d-subscribe@y...
> > > > > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > > > > List owner: 
ukha_d-owner@y...
> > > > > > > > > > >
> > > > > > > > > > > Your use of Yahoo!
Groups is subject to
> > > > > > > > > http://docs.yahoo.com/info/terms/
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > > > Post message: ukha_d@y...
> > > > > > > > > Subscribe: 
ukha_d-subscribe@y...
> > > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > > List owner:  ukha_d-owner@y...
> > > > > > > > >
> > > > > > > > > Your use of Yahoo! Groups is
subject to
> > > > > > > http://docs.yahoo.com/info/terms/
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > > Post message: ukha_d@y...
> > > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > List owner:  ukha_d-owner@y...
> > > > > > > >
> > > > > > > > Your use of Yahoo! Groups is
subject to
> > > > > > http://docs.yahoo.com/info/terms/
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > Post message: ukha_d@y...
> > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > > List owner:  ukha_d-owner@y...
> > > > > > >
> > > > > > > Your use of Yahoo! Groups is subject to
> > > > > http://docs.yahoo.com/info/terms/
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > Post message: ukha_d@y...
> > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > > List owner:  ukha_d-owner@y...
> > > > > > >
> > > > > > > Your use of Yahoo! Groups is subject to
> > > > > http://docs.yahoo.com/info/terms/
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > For more information: http://www.automatedhome.co.uk
> > > > > Post message: ukha_d@xxxxxxx
> > > > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > > > List owner:  ukha_d-owner@xxxxxxx
> > > > >
> > > > > Your use of Yahoo! Groups is subject to
> > > http://docs.yahoo.com/info/terms/
> > > >
> > > >
> > >
> > >
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > List owner:  ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> > >
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > List owner:  ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> >
> >
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>