General discussion

Locked

Nimda Virus that wont DIE

By Xanderoth ·
Ok, here it is...
Nimda virus infected a server and 5 workstations. Fixnimda tools were downloaded and run on all machines. Hubs were powered down and internet disconnected while Virus removal tools ran. After informing us of SUCCESSFUL virus removal on all machines, it was run again and found to be not infected with the Nimda. All ZIP disks, CDs, floppies and tapes were scanned and found clean. Network was brought back up and the next day the Nimda is found on all machines again. Internet access was setup 2 days ago and no e-mail has been assigned as of yet. We are certain that it is not coming in from the internet or from the outside world. We are certain that it isn't being loaded on by an angry employee or somthing like that. We have used several different nimda removal tools with similar results. Am I missing something? Anyone have any idea what is going on?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Nimda Virus that wont DIE

by maxwell edison In reply to Nimda Virus that wont DIE

Greetings,

Microsoft suggests the following:

"Microsoft is working with the anti-virus community and other security experts to thoroughly investigate the worm. If you haven't already installed the appropriate updates and/or patches, your computer can become infected." (REMOVE SPACES from the following pasted URL.)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp

The aforementioned Microsoft site has information and additional links to helpyou out.

Good luck,

Maxwell

Collapse -

Nimda Virus that wont DIE

by maxwell edison In reply to Nimda Virus that wont DIE

.
.
Symantec has Manual Removal Instructions, but too lengthy to post here.

Cut and paste this link (REMOVING SPACES)

w32.nimda.a@mm.html">http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

This is a very thorough and informative site.

Good luck

Maxwell

Collapse -

Nimda Virus that wont DIE

by maxwell edison In reply to Nimda Virus that wont DIE

.
.
McAfee's resolution can be found here:

http://www.mcafee.com/anti-virus/viruses/nimda/default.asp?cid=2444

Regards,

Maxwell

Collapse -

Nimda Virus that wont DIE

by Xanderoth In reply to Nimda Virus that wont DIE

Ok- we patched all of the computers with all of the security patches. Hows that for fun! Not only are we still getting this virus, we shouldn't be ABLE to get this virus...

Collapse -

Nimda Virus that wont DIE

by burch_r In reply to Nimda Virus that wont DIE

Nimda is a particularly nasty bug to clean. One of the ways it spreads is through shared folders on your network, and by the sounds of it, this is the most likely way that your systems are remaining infected. (Remember that the presence of infected files does not mean that the system is fully infected.) If an infected client has write access to any shared folders, Nimda will deposit infected eml files along with the infected file RICHED20.DLL in all of the folders it can access. Cleaning thevirus from all clients is the only sure way of permanently removing Nimda from a network where write access is required. If write access is not required, set your shares to Read Only. Another tool to help is cleaning your file server while off-line and then depositing a "Read Only" copy of the clean RICHED20.DLL file in all folders that offer write access. Although the virus will still deposit the eml files, it won't overwrite the dll file as long as deletion privileges are removed. The dllfile in question is called by MS Word when saving, printing, etc. If a Word document is opened within a folder that contains an infected RICHED20.DLL, it will then spread the virus to the system that opened the document.

Finally, you need to ensure that you have run Windows updates in addition to virus definition updates. If running NT, this includes all Service Packs.

FYI, our campus (WVWC) has currently moved to Norton AntiVirus Corporate Edition, and so far are very pleased with the product. The number one feature -> Pushed virus definition updates from parent servers to network clients. Full automation means no dependancy on the users to update their definition lists.

Robert Burch
Helpdesk Supervisor
West Virginia Wesleyan College

Collapse -

Nimda Virus that wont DIE

by Xanderoth In reply to Nimda Virus that wont DIE

Wow- I must say I feel bad for rejecting these answers. I can tell you that all security patches have been installed and installed again. We are running Win2k server and professional on all machines, all have IE6.0. All service packs are in place.
We used Symantecs site previously and followed all the steps in removal of the virus- which was successful. Network and internet was disconnected. Everything virus free. Only after reconnected to internet and network, day later, did weget the virus again...

Collapse -

Nimda Virus that wont DIE

by Xanderoth In reply to Nimda Virus that wont DIE

HA HA! I found it!

We connect to the internet Via cable modem. If you browse network neighborhood you can view other cable modem users outside of our network. Our cable modem provider, COX communications, says we could be getting it through open shares on other COX internet users outside of our physical network, but withing our TCP/IP network. It is a small company, so they had no firewall, but it will be installed today. Thanks for the help though people.

Collapse -

Nimda Virus that wont DIE

by Xanderoth In reply to Nimda Virus that wont DIE

This question was closed by the author

Back to Windows Forum
8 total posts (Page 1 of 1)  

Operating Systems Forums