Re: Nimda Virus

From: Mark Strelecki, ACP (be6-506@nospam.strelecki.com)
Date: 05/14/02


From: " Mark Strelecki, ACP" <be6-506@nospam.strelecki.com>
Date: Mon, 13 May 2002 20:46:15 -0400


I suggest a Clean Install.

According to this link:

http://w3.hethmon.com/os2isp/2001/Sep/Msgs/l2w68486.html

"Basically, cleansers available now do not address some of the more
insidious components of Nimda;

- - Guest account being enabled. In the case of an infected Domain
Controller, this means the account is enabled in the Domain.

- - Guest account being added to the Administrators group. Again, on
DCs the Guest user is added to the Domain Admins group.

- - Modification to registry keys. Some reports say that values under
LanManServer\Parameters are deleted, in an effort to remove any
AutoShareServer value that might prevent the availability of C$,
etc...), while other reports talk only of the creation of new shares
(C$, D$, etc...) under that key.

- - Numerous critical system files are modified, including files in the
dllcache directory, and its questionable whether or not these can be
restored to good health by an untested cleanser (the suggestion that
SSL functionality might not work after cleansing.)

Then there is the question as to whether or not all of the effects of
Nimda have actually been determined. With its buggy operation, its
possible it might do other things inconsistently, in a way that might
leave cleansers lacking. "

I suggest a Clean Install, just to be safe and sure.

--
Mark Strelecki,  ACP          BE6.2600.011208c
Computing and Programming Since 1975  http://www.strelecki.com
Protect Your Rights -- Fight UCITA   http://www.4cite.org
"bhavana" <bhavana_21@yahoo.com> wrote in message
news:2d2b01c1fab7$bb389010$b1e62ecf@tkmsftngxa04...
> hi
>
>    This is regarding Nimda virus. My system was infected
> with this virus and cleaned it up using Fsecure software.
> Now, many of the files are deleted from my system.The ones
> that are infected are either removed, repaired by this
> software.  The files that were deleted are all from
> inetpub directory. I am not sure whether these files come
> with the installation of IIS or they were posted into my
> system by this virus. So could anyone tell me if have to
> re-install IIS.
>   For your info I am giving you the some of the files that
> were deleted:
>    C:\inetpub\scripts\tftp10944
>    C:\inetpub\scripts\tftp10924
>    C:\inetpub\scripts\tftp10884
>    C:\inetpub\scripts\tftp10872
>    C:\inetpub\scripts\tftp10868
>  and so on.... all starting with tftp..
>   Also, some of the files are repaired in the Visual Studio
> package. Do I need to install the studio as well..
> What is the best way to get rid of such
> malacious programs. After scanning and removing the virus
> the Fsecure software cautions me to reinstall the
> operating system to ensure the system is safe in
> future(just incase someone got access to my system) .
> Do I really need to do so.
>
> Thanks in advance.