[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: Virus experience

Subject: Re: Virus experience
From: "Robert Holmgren" holmgren@xxxxxxxx
Date: Sat, 31 Aug 2002 09:15:26 -0700

** Reply to message from Bill Troop  on Fri, 30 Aug 2002
21:14:38 -0400


> I have finally, after
> all these years, managed to get my system infected quite badly with the
> something-or-other virus

It's Nimda, or a variant thereof. Look for *.NWS files as well as .EMLs.
IIRC, there's an EXE and at least one DLL that you have to get rid of, plus
there's an entry in SYSTEM.INI that must be deleted. Nimda spreads through
open network shares (mainly) -- one of my servers was infected through NETBIOS
port 139 that I stupidly forgot to close (in fact, I subsequently deleted
NETBIOS completely from all my servers -- NETBIOS is a huge security hazard --
I just use NETBEUI and TCP/IP on my LANs now). When Nimda is working, it takes
over your network connection. Right-click on your Network adapter (the adapter
with the Internet connection, if you have more than one), and check the Status.
If the sucker is uploading data like a bastard, and you aren't communicating
(and XP isn't checking in with Microsoft to snitch on the status of your
computer), then Nimda is probably on the job. What exactly it is sending, and
where it is sending, I don't know -- but the possibilities are chilling (one
reason I wiped every sensitive or personal file off my servers).

You can remove Nimda manually, you don't need a lot of tools really. Poke
around in DejaNews for detailed info (limit the search date to the past several
months, because the Nimda flavors floating around now are not the original ones
circa a year ago).

FWIW, here's what I'd do by way of longterm solution (also be nice to reduce
the off-topic security posts here). Go to a garage sale. Buy an old 486 for
$5. Install two NICs in it. Format a floppy disk. Put Coyote Linux on the
floppy -- it's an amazing NAT server/router/firewall on a *floppy* (freeware:
http://www.coyotelinux.com/ -- you can make the floppy with Windows even, as
long as you have NICs that Coyote has drivers for, check the list of acceptable
NICs). Put your real computer(s) behind it. (And don't use Outlook, a lousy
mail client to begin with.) Alternative strategy: Knoppix
(http://www.knopper.net/knoppix/index-en.html), which is Linux on a bootable CD
-- capable of doing pretty much the same thing as Coyote. Another alternative:
Put NAT32 on a barebones Windoze machine (be sure not to install the NETBIOS
protocol): http://www.nat32.com/. After you're all done, go to one of many
sites (e.g. http://www.dslreports.com/) and do a Port probe or scan -- find out
what an inquisitive remote machine sees when it tries to break into your box.
If you still have security exposures, remove them.

> Norton AV took care of it but I HATE Norton AV 2002 because it
> cannot be uninstalled from my XP Dell without causing the loss of my cable
> internet service.

That doesn't sound right. I have a Dell XP machine, and Norton isn't
"uninstalled", just turned off. Haven't seen or heard from Norton since I got
the machine from Dell (my last Dell, BTW -- there are too many oddities, in the
keyboard, the bios, the video; Thinkpads all the way, from now on, for me).

-----------------------------
Robert Holmgren
holmgren@xxxxxxxx
-----------------------------

Prev by Date: Re: Virus experience
Next by Date: Cosing the off-topic/on-topic circle: Re: XY3DOS on a Mac?
Previous by thread: Re: Virus experience
Next by thread: Re: Virus experience
Index(es):
- Date
- Subject