Closed Thread Icon

Preserved Topic: Virus!? Pages that link to <a href="https://ozoneasylum.com/backlink?for=17249" title="Pages that link to Preserved Topic: Virus!?" rel="nofollow" >Preserved Topic: Virus!?\

 
Author Thread
Lurch
Paranoid (IV) Inmate

From: Behind the Wheel
Insane since: Jan 2002

posted posted 10-17-2002 22:54

Lately on both my XP machines when browsing through folders in windows explorer I've been getting these popups asking if i want to download the file usually with a name like wkb9.tmp or some shit. I click cancel and I've looked on the net for anything about this but couldn't find anyting. Now i've noticed that in all my folders theres a .eml file (explorer is id'ing it as an outlook email file). shit like saddam.eml and stuff. how the hell do i get rid of this shit!?! I'm going to try regular old antivirus right now.....

--Lurch--

GrythusDraconis
Paranoid (IV) Inmate

From: The Astral Plane
Insane since: Jul 2002

posted posted 10-17-2002 23:03

Anti-virus would be my best guess. The fact that it's linked to Outlook isn't too heartening though. My guess is it started there with something you opened. Probably from a friend, or you though it was from a friend. You can do an online scan with Norton AV here
Just click on 'scan for viruses' and it'll lead you from there.

Good luck!


GrythusDraconis
"Be careful not to anger the Great Dragon for you are crunchy and taste good with Ketchup" T-Shirt Somewhere

[This message has been edited by GrythusDraconis (edited 10-17-2002).]

GrythusDraconis
Paranoid (IV) Inmate

From: The Astral Plane
Insane since: Jul 2002

posted posted 10-17-2002 23:06

Oh... and are your XP machines networked together? The symantec site has some checks and info on how to deal with those viruses that interfere with Norton AV and other virus scan programs on your local machine. Some viruses can replicate off of your server or another machine in the network.



GrythusDraconis
"Be careful not to anger the Great Dragon for you are crunchy and taste good with Ketchup" T-Shirt Somewhere

Lurch
Paranoid (IV) Inmate

From: Behind the Wheel
Insane since: Jan 2002

posted posted 10-18-2002 00:19

thanks

the 'puters are networked and in fact, i was browsing on the other machine when I found the .eml files! doh. so i installed updated and scanned with norton on the one machine, found a couple non-related things and then realized that i was browsing on the other machine! i'm in the process of scanning that machine now. I'll let you know if it comes up with anything

--Lurch--

Lurch
Paranoid (IV) Inmate

From: Behind the Wheel
Insane since: Jan 2002

posted posted 10-18-2002 00:46

looks like it was a "nimda" worm... couldn't repair anything but i have 114 quarantined files now (deleted 26 others)...

--Lurch--

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 10-18-2002 08:26

Since that computer was infected with nimda (backwards for word admin) virus, I guess that it is running MS IIS web server. If so, you should install all security patches for IIS to prevent any future infections...


Lurch
Paranoid (IV) Inmate

From: Behind the Wheel
Insane since: Jan 2002

posted posted 10-18-2002 09:28

i don't think i was running IIS on that machine Max... Apache though. same difference since its Windows??

--Lurch--

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 10-18-2002 10:59

Nimda was designed to attack IIS web servers using common exploit that was discovered a few months ago. It automatically replicates itself to other computers that are running IIS, so that computer must be running IIS (it doesn't matter if you use it or not, as long as the IIS service is started). Apache is not vulnerable to nimda. I would suggest you to check all running services and see whether IIS is running or not and to visit Windows Update to download patches or to install Windows XP SP1 if you already haven't done so...


tomeaglescz
Paranoid (IV) Inmate

From: Czech Republic via Bristol UK
Insane since: Feb 2002

posted posted 10-18-2002 11:12

OK first up THIS IS NIMDA or one of its CLONES.

It has 4 variants a,b,c,d. The patches availiable to clean and recover files are at http://www.avg.com and also at Nortons AV site.

Nortons doesnt differentiate between the variant very well, so to play safe download and run all four .exe files from there.

I only lost 2% of my files.

You will have caught this through only one or two ways, an email, or from visiting an IIS Server hosted site that ran a script when you visited the page. Nimda spread through the IIS server community like crazy, and it wil jump from machine to machine on your network, and also any emails you sent will have been infected, what ioften is a comon sign of this is if you recieve duplicate emails, one of them is usually carrying the virus.

The best way to attack this is as follows.

1.disconnect all pc's from network
2.virus scan your servers. (Clean up as necessary)
3.virus scan and clean workstations
4.reconnect and you should be good to go.

the reason for the disconnection from the network is as follows.

Nimda routinely scans the network for machines that are not infected so as you clean one, it can be reinfected from another pc on the network.

The good news is once ya have the patches downloaded you should be ok in the future.

On my network i have AVG 6 running and i use the admin control center with rules applied for email, so if any email arrives to me infected etc, it just trashes it before i even get it in my inbox.

anyway if ya have any problems just give me a holler.

good luck tom


edit max beat me to it.


definately get all the patches for IIS it's got lots of holes and unless fixed it can leave a back door wide open into your network.

also check your user accounts in the User administration account as quite often it will create some wierd ass named user that has admin rights, its just a jumble of alphanumeric characters. once ya done that i suggest you go back through your system log reports on your server and check back on services user and application history ( you do log all theses dont you ??? )



[This message has been edited by tomeaglescz (edited 10-18-2002).]

Lurch
Paranoid (IV) Inmate

From: Behind the Wheel
Insane since: Jan 2002

posted posted 10-18-2002 22:28

Norton AV isn't doing shit. its fucking pissing me off.. these .eml folders are popping up everywhere I do not have iis installed and the fucking avg site doesnt work. norton just says you have a virus. no shit! tell me something i don't know or fix the fucking thing.

sorry for the language i'm pissed off right now


--Lurch--

Lurch
Paranoid (IV) Inmate

From: Behind the Wheel
Insane since: Jan 2002

posted posted 10-18-2002 22:38

phew.... think i mighta got it... on this machine... no more .eml files at least

--Lurch--

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 10-18-2002 22:41

Nasty virus you got there. Go here to see about a removal tool.

Good Luck

Later,
C:\


~Binary is best~



[This message has been edited by CPrompt (edited 10-18-2002).]

CRO8
Bipolar (III) Inmate

From: New York City
Insane since: Jul 2000

posted posted 10-19-2002 16:19

entirely off the topic- my rugby nickname was Lurch- I may have already told you about that!

CRO8

« BackwardsOnwards »

Show Forum Drop Down Menu