Re: Nachi virus in a WinXP Update?
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 03/01/04
- Next message: Artwilder: "Re: To clarify the link for CWShredder Update"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Nachi virus in a WinXP Update?"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Nachi virus in a WinXP Update?"
- Next in thread: Larry Woodworth: "Re: Nachi virus in a WinXP Update?"
- Reply: Larry Woodworth: "Re: Nachi virus in a WinXP Update?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 Feb 2004 22:10:32 -0500
Practicing Safe Hex should always be #1 on the list and you should not rely on software to
make up for human errors/mistakes.
I have no clue why this happened during Windows Update. It may depend on the way McAfee is
configured.
What version of McAfee are you using (as well as ENGINE and DAT revisions) ?
In a school environment, you should have On-Access scanning enabled for *ALL* files (not
just default file types) with or without a file extension.
KB824146 "is" available as a Critical Update.
You know if it is installed if the following directory exists;
%windir%\$NtUninstallKB824146$
Verification can be made with the actual patch file versions...
23-Aug-2003 18:48 5.0.2195.6810 945,936 Ole32.dll
23-Aug-2003 18:48 5.0.2195.6802 432,912 Rpcrt4.dll
23-Aug-2003 18:48 5.0.2195.6810 192,272 Rpcss.dll
Dave
<anonymous@discussions.microsoft.com> wrote in message
news:1b1301c3ff38$f1426e60$a601280a@phx.gbl...
| Hmmm, our school division's email server runs the current
| version of GWAVA (GroupWise Anti-Virus Engine by
| McAfee). If W32/Gibe-F has been out longer than four
| days, then the school division is safe from its threat.
| 99% of the email viruses/worms out there don't affect
| GroupWise anyway.
|
| We have 824146 as a "stand-alone" patch on our file
| server. I'm surprised MS doesn't make it part of the
| Critical Updates.
|
| Thanks for the response. Any idea why this only appears
| during/after a Windows Update?
|
| >-----Original Message-----
| >Obtain McAfee's virus and worm removal tool, Stinger:
| http://vil.nai.com/vil/stinger/
| >
| >You *must* install the following patch for the RPC/RPCSS
| Buffer Overflow Vulnerability that
| >is
| >addressed by Microsoft Security Bulletin MS03-39
| http://support.microsoft.com/?kbid=824146
| >
| >
| >1) If you are using WinXP, disable System Restore
| >
| http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
| m
| >2) Reboot your PC into Safe Mode
| >3) Using McAfee Stinger, perform a Full Scan of your
| platform and clean/delete any
| > infectors found
| >4) Restart your PC and perform a "final" Full Scan
| of your platform
| >5) If you are using WinXP, Re-enable System Restore
| and re-apply any
| > System Restore preferences, (e.g. HD space
| to use suggested 200 ~ 400MB),
| > reboot your PC.
| >6) If you are using WinXP, create a new Restore point
| >7) Please report back your results
| >
| >
| >In addition:
| >If you post to UseNet with your TRUE, not a munged,
| email address then you have invited the
| >Swen Internet worm [aka; W32/Gibe-F] to visit you.
| >
| >The Swen is news spelled backwards. The reason it is
| called this is because the Swen worm
| >harvests email addresses from UseNet News Groups. It
| has an engine that allows it to post
| >itself to UseNet News Groups as well as it has its own
| email engine. From the list of
| >email addresses that it has harvested, it will then
| email itself to those addresses.
| >
| >So, in short, your naivety will introduce the Swen
| Internet worm to your school !
| >
| >Dave
| >
| >
| >
| >"Larry Woodworth" <l w o o d w o r t h @
| mail.manassas.k12.va.us> wrote in message
| >news:053601c3ff32$a6f15f70$7d02280a@phx.gbl...
| >| We're using the current McAfee Signature files. After
| I
| >| started running Windows Update on one of our WinXP
| >| Professional laptops, I got a McAfee alert that a Nachi
| >| worm was found hiding in a svchost instance. I let the
| >| update continue and a few minutes later, Windows Update
| >| couldn't find the following file:
| >|
| >| drmk.sys (or) dmrk.sys (the r and m run together and I
| >| can't tell which way it should be)
| >|
| >| It is expecting to find the file in
| >| c:\wutemp\pubname.3244132
| >|
| >| It sure sounds like that file was part of the download
| >| from Microsoft and was intercepted by McAfee. So it is
| >| not available for install now. Comments?
| >
| >
| >.
| >
- Next message: Artwilder: "Re: To clarify the link for CWShredder Update"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Nachi virus in a WinXP Update?"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Nachi virus in a WinXP Update?"
- Next in thread: Larry Woodworth: "Re: Nachi virus in a WinXP Update?"
- Reply: Larry Woodworth: "Re: Nachi virus in a WinXP Update?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
