Nimda

This is a discussion on Nimda within the A Brief History of Cprogramming.com forums, part of the Community Boards category; I have this virus called Nimda. I went to microsoft.com but their fix does not work. They say that if ...

  1. #1
    Unregistered
    Guest

    Nimda

    I have this virus called Nimda. I went to microsoft.com but their fix does not work. They say that if you have service pack 2 than you shouldn't have the virus. Well I have SP2 and Win2k and I do have the virus!

    Can I just delete the files? I can see the .dll file on my C drive for example but there are something like 41 other files.

  2. #2
    barjor
    Guest
    I don't know that much about this virus but it sounds like a job for a anti virus program

    ~Barjor

  3. #3
    Unregistered
    Guest
    It's going to be announced on the National news. I heard about it from the US government this afternoon.

    I still have the virus on my computer. At the Norton website they say that they are working on it. As of this moment there is no cure. Microsoft thinks that you can't get the virus if you have service pack 2, but they are dead wrong.

    During these rare times I wish I was running Linux although I'd need a lot more pain in order to get me to do that.

  4. #4
    Registered User rick barclay's Avatar
    Join Date
    Aug 2001
    Posts
    835
    My server IS running Linux/UNIX. It's down. I don't understand.
    They said Linux was immuned to code red, et al.

    rick barclay
    No. Wait. Don't hang up!

    This is America calling!

  5. #5
    Has a Masters in B.S.
    Join Date
    Aug 2001
    Posts
    2,267
    i don't think its code red rick, is the little green light on the front of the case on?
    ADVISORY: This users posts are rated CP-MA, for Mature Audiences only.

  6. #6
    Registered User Esss's Avatar
    Join Date
    Aug 2001
    Posts
    133
    I hate to cut and paste, because you should all be subscribing anyway.

    From NTBugTraq:

    Infection vectors;
    - -----------------
    a) Email as an attachment of MIME audio/x-wav type.
    b) By browsing an infected webserver with Javascript execution
    enabled and using a version of IE vulnerable to the exploits
    discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2).
    c) Machine to machine in the form of IIS attacks (primarily
    attempting to exploit vulnerabilities created by the effects of Code
    Red II, but also vulnerabilities previously patched by MS00-078)
    d) Highlighting either a .eml or .nws in Explorer with Active Desktop
    enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the
    file and attempt to download the README.EXE referenced in it
    (depending on your IE version and zone settings).
    e) Mapped drives. Any infected machine which has mapped network
    drives will likely infect all of the files on the mapped drive and
    its subdirectories

    To prevent yourself from being infected;

    a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or
    above)

    b) Disable Active Scripting in IE

    c) Ensure all IIS installations have applied MS01-044 (or at the very
    least MS01-033)

    d) Use the CALCS program to modify the permissions on TFTP.EXE to
    remove all use;

    CALCS %systemroot%/system32/tftp.exe /D Everyone
    CALCS %systemroot%/system32/tftp.exe /D System

    Do the same for CMD.EXE
    (note, this could be tried with THUMBVM.DLL as well, haven't tried
    this myself yet)

    e) Ensure that TFTP is not permitted out through your network gateway
    (note that newly infected machines may try and TFTP *internally* from
    some other infected machine you have on your network)

    f) Modify or remove;

    HKEY_CLASSES_ROOT\.eml
    HKEY_CLASSES_ROOT\.nws

    Cleansing information;
    - ---------------------

    Nimda is viral, so while you can remove various files that it drops
    it probably will not be cleaned completely by manual means. This
    means you will have to use your AntiVirus vendor's product to
    completely cleans.

    a) Load.exe dropped as hidden/system file (probably in %systemroot%)
    b) Riched20.dll dropped with today's date as hidden/system file.
    c) Readme.exe dropped in every directory
    d) Admin.dll dropped in /scripts and/or root directories (not the
    _vti_bin directories of FrontPage)
    e) .eml and .nws files dropped in every directory
    f) Possibly modified your default home page in web dirs.
    g) Infected numerous files (if not all files) with the 56kb
    executable.
    h) Reports of people having files lumped together into .eml files

    Check with your AV Vendor regularly for updates to the cleansing
    programs. I would appreciate any reports from AV Vendors as to how
    complete they feel their cleaners currently are. I will do an update
    later tonight based on responses.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
    Ess
    Like a rat in a maze who says,
    "Watch me choose my own direction"
    Are you under the illusion
    The path is winding your way?
    - Rush

  7. #7
    Anti-Terrorist
    Join Date
    Aug 2001
    Location
    mming, Game DevelopmentCSR >&<>&2Minimization of boolean functions, PROM,PLA design >&0>&WA, USA guitar, dogsCommercial Aviation >&>>&USAProgramming
    Posts
    742
    Oh well, I was thinking of getting WinXP anyway. Hope the terrorsts are all killed by than. I'm tired of all these virus attacks.
    I compile code with:
    Visual Studio.NET beta2

  8. #8
    Registered User mfc2themax's Avatar
    Join Date
    Aug 2001
    Posts
    346
    If you wanna be immune to problems like this, then its simple. Throw your computer out the window.
    mfc2themax-Creator of all that is.

  9. #9
    Anti-Terrorist
    Join Date
    Aug 2001
    Location
    mming, Game DevelopmentCSR >&<>&2Minimization of boolean functions, PROM,PLA design >&0>&WA, USA guitar, dogsCommercial Aviation >&>>&USAProgramming
    Posts
    742
    You know what, you're right. Unfortunately it seems that the operating system manufacturers can not protect the public from viruses. That's just the way it is. I didn't even open an attachment. I must have gotten infected by going to some website. I'm not going to search the web anymore.
    I compile code with:
    Visual Studio.NET beta2

  10. #10
    Linguistic Engineer... doubleanti's Avatar
    Join Date
    Aug 2001
    Location
    CA
    Posts
    2,459
    >I don't know that much about this virus but it sounds like a job for a anti virus program

    what is nimda? and, wow sunlight, resourceful on the run... good job!

    >Throw your computer out the window.

    remember: we have a function for that...

    oh, and i don't want to sound like i'm some genius that is failsafe from all virii cuz i'm a genius... but i don't ever get virii simply because my own computer use is relatively fail-safe... what practices did you, er, practice to obtain this virus?
    hasafraggin shizigishin oppashigger...

  11. #11
    Just one more wrong move. -KEN-'s Avatar
    Join Date
    Aug 2001
    Posts
    3,230
    I was lookin at my school's county website and found a link to a patch. go here: http://www.palmbeach.k12.fl.us/

  12. #12
    Registered User rick barclay's Avatar
    Join Date
    Aug 2001
    Posts
    835
    >i don't think its code red rick, is the little green light on the front of the case on?<

    No, I guess it was nimba. Code red isn't suppose to attack Linux,
    from what I understand, admittedly not much. But, it's Wednesday
    morning now, and my site is back up, so no harm done. I'm
    back in business . Till next time.

    rick barclay
    No. Wait. Don't hang up!

    This is America calling!

  13. #13
    Registered User Esss's Avatar
    Join Date
    Aug 2001
    Posts
    133
    > Unfortunately it seems that the operating system manufacturers can not protect the public from viruses.

    Carefully avoiding the word 'Microsoft', hm?

    As you'll have noticed, every infection vector can be patched. There's no excuse for not having MS00-078, since it's 12 months old! There's also no excuse for having IE pre v5.01 SP2, and none for having your system security levels at 'low'.

    If you want to be secure, check http://www.microsoft.com/technet/mpsa/start.asp regularly, and follow the recommendations. By being up-to-date, I bypassed Code Red I and II, and this latest one. Oh, and don't open attachments unless you know what they are...

    Rick, even if your machine runs Linux, it's still vulnerable to thousands of computers bombarding it with compromise requests. Did you have unusual amounts of traffic?
    Ess
    Like a rat in a maze who says,
    "Watch me choose my own direction"
    Are you under the illusion
    The path is winding your way?
    - Rush

  14. #14
    Hamster without a wheel iain's Avatar
    Join Date
    Aug 2001
    Posts
    1,385
    has anyone else noticed that it spells 'Admin' backwards ?
    Monday - what a way to spend a seventh of your life

  15. #15
    Has a Masters in B.S.
    Join Date
    Aug 2001
    Posts
    2,267
    >Unfortunately it seems that the operating system manufacturers
    can not protect the public from viruses<

    openBSD... 4 security holes in 6 years... 3 fixed ones brand new so... virtually impossible to hax0r...

    and Esss even if you do all that your still vunerable

    >By being up-to-date, I bypassed Code Red I and II, and this latest one.<

    yes mam, be up to date and skip the nasties he's right about that.

    >Oh, and don't open attachments unless you know what they are... <

    nailed that too.
    ADVISORY: This users posts are rated CP-MA, for Mature Audiences only.

Page 1 of 4 1234 LastLast
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Nimda is Dead
    By Witch_King in forum A Brief History of Cprogramming.com
    Replies: 1
    Last Post: 09-23-2001, 06:22 AM
  2. My Appologies
    By Witch_King in forum A Brief History of Cprogramming.com
    Replies: 20
    Last Post: 09-21-2001, 06:07 PM
  3. side nimda stuff
    By Govtcheez in forum A Brief History of Cprogramming.com
    Replies: 6
    Last Post: 09-20-2001, 02:35 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21