Nimda checker

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 09/21/01

• Previous message: Rosselle, Brett: "Trend Micro Fix Utility Removes Shares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F1F15D9@muskie.rc.on.ca>
Date:         Fri, 21 Sep 2001 08:26:19 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Nimda checker
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

Folks,

I'm just finishing up something that you'll be able to use to
remotely determine whether an NT/W2K machine has been infected with
Nimda.

The tool will be the HFNetChk utility which Microsoft released a
couple of months back (although you'll need to use the newest beta
version for it to work properly) and a customized XML file that I'll
host here at www.ntbugtraq.com.

This isn't intended to replace your anti-virus software, but since
many of you don't currently use AV on your servers, it may help in
diagnosing which machines you need to give immediate attention to and
which you can temporarily leave for later (every machine should be
thoroughly checked regardless of what this scan tells you).

I cannot guarantee that it will pick up all infected machines, but
with your help we can make it as effective as possible. Below is a
list of files and locations I'll be checking. A hit on any of them
will produce a warning that the system may be infected. You'd then
have to go and inspect the machine further to determine whether it is
or isn't infected. Since this is based on HFNetChk, you can check an
entire domain/subnet in a single command line.

Here's the list I'm checking. If you know of any files and/or
locations that are not included that represent a good indication the
machine is infected, please advise;

admin.dll %systemdrive%
admin.dll %systemdrive%\inetpub\scripts
admin.dll %systemdrive%\inetpub\wwwroot
admin.dll %systemdrive%\program files\common files\system\msadc
admin.dll %windir%
admin.dll %windir%\system
admin.dll %windir%\system32

readme.eml %systemdrive%
readme.eml %systemdrive%\inetpub\scripts
readme.eml %systemdrive%\inetpub\wwwroot
readme.eml %systemdrive%\program files\common files\system\msadc
readme.eml %windir%
readme.eml %windir%\system
readme.eml %windir%\system32
readme.eml %windir%\system32\dllcache
readme.eml %windir%\system32\drivers
readme.eml %windir%\system32\inetsrv
readme.eml %windir%\system32\inetsrv\iisadmin

readme.exe %systemdrive%
readme.exe %systemdrive%\inetpub\scripts
readme.exe %systemdrive%\inetpub\wwwroot
readme.exe %systemdrive%\program files\common files\system\msadc
readme.exe %windir%
readme.exe %windir%\system
readme.exe %windir%\system32
readme.exe %windir%\system32\dllcache
readme.exe %windir%\system32\drivers
readme.exe %windir%\system32\inetsrv
readme.exe %windir%\system32\inetsrv\iisadmin

root.exe %systemdrive%
root.exe %systemdrive%\inetpub\scripts
root.exe %systemdrive%\inetpub\wwwroot
root.exe %systemdrive%\program files\common files\system\msadc
root.exe %windir%
root.exe %windir%\system
root.exe %windir%\system32
root.exe %windir%\system32\dllcache
root.exe %windir%\system32\drivers
root.exe %windir%\system32\inetsrv
root.exe %windir%\system32\inetsrv\iisadmin

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6sx6xBh2Kw/l7p5AQGfHwQAikAuYsIY2hN/6ehlV4CUyKDdHlXYXm0D
N+HLx0gfpRsGrHeBeHNspTq3OOm9KRrcTQKJJrOpSZ3HeBDqWvUo8egpuQDc2YZs
cbof57t6y9ZFuJPNmZRLedvGBhBLSuFs/1FGyEnJ555EmyvSfC99/XPcZGNpIpfC
RpynnmeyF30=
=+AnT
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

---

• Previous message: Rosselle, Brett: "Trend Micro Fix Utility Removes Shares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Removing the W32.Nimda.A@mm from Windows 95/98 ... Removing the W32.Nimda.A@mm from Windows 95/98 ... TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE ... (NT-Bugtraq) Re: Removing the W32.Nimda.A@mm from Windows 95/98 ... > We've only had one infected computer, which was Win98, but it spread files ... > to shares on Win2k, NT4 and Macintosh using the DAVE file sharing product. ... If you are worried about email viruses, you need Trend Micro ScanMail for Exchange. ... (NT-Bugtraq) Re: Alert: Some sort of IIS worm seems to be propagating ... Subject: Alert: Some sort of IIS worm seems to be propagating ... TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE ... (NT-Bugtraq) Administrivia - Terrorism attacks September 11th, 2001 ... Administrivia - Terrorism attacks September 11th, ... TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE ... (NT-Bugtraq) Dangerous information in CentraOne Log files, possible user impersonation ... Dangerous information being recorded in CentraOne Log files, ... Remote Exploit: No ... Earn 5% rebate on licenses purchased for Trend Micro ScanMail for ... Microsoft Exchange 2000 between October 1 and November 16. ... (NT-Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > NT-Bugtraq  > 2001-09