General discussion

Locked

NIMDA VIRUS

By lmcdonald ·
We contracted the NIMDA virus a couple months ago. It was removed using the FIXNIMDA tool from all our users. I have an IP Share device on our NT Server (4.0) which enables everyone to access the internet through the external NT modem. We also run a Novell Server that is also networked with the NT server. After running the FIXNIMDA, I have several users that the virus keeps recurring on. One user in particular keeps getting the recurring Word and Excel (Office 2000) problems that this virus creates. This is not a person that normally uses email or the internet. I know I must be missing something. I can run the FIXNIMDA until the virus is removed, then run the DLL extract and everything will be fine. Sometimes for a couple days, sometimes for a couple hours. Does anyone have a clue how I can permanently rid this computer of the virus?

Thanks for the help!
lmcdonald@wickett-craig.com

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

NIMDA VIRUS

by DKlippert In reply to NIMDA VIRUS

I always start out by searching for and renaming any Normal.dots on the machine (there should be only one).
Try replacing Riched20.dll (a hidden file)in the System folder, from the installation CD.
Part of the Nimda infection is to place Riched20.dll in network shared folders. When you try to open a Word,Excel, etc. file from the shared folder, Nimda is activated.

Collapse -

NIMDA VIRUS

by lmcdonald In reply to NIMDA VIRUS

Poster rated this answer

Collapse -

NIMDA VIRUS

by TechKid In reply to NIMDA VIRUS

try checking there floppy disks too.

Collapse -

NIMDA VIRUS

by lmcdonald In reply to NIMDA VIRUS

Poster rated this answer

Collapse -

NIMDA VIRUS

by robert.marsh In reply to NIMDA VIRUS

Besides the aforementioned NORMAL.DOT and RICHED20.DLL, if you have ANY computer that has IIS, right-click and open with Notepad all HTM files, scroll to the bottom and see if you have a line referrring to 'README.EXE". Also, at the user's station,MANUALLY REMOVE ALL "mep*.*", "*.eml", and *.htm" files. And, since you have become familiar with the size of the DLL files, recheck THEM manually and replace them.

Also, Check the registry on any Win OS system for references to the above file types and the readme.exe file. If found, remove them. And check in the same manner on the Novell box.

That oughta do it.

Collapse -

NIMDA VIRUS

by lmcdonald In reply to NIMDA VIRUS

Poster rated this answer

Collapse -

NIMDA VIRUS

by mike_mds In reply to NIMDA VIRUS

I would highly recommend reading the following write-up on Nimda:

http://www.incidents.org/react/nimda.pdf

You can skip to the last several pages for information on removing, but I would at least skim through the bulk of it.

Collapse -

NIMDA VIRUS

by lmcdonald In reply to NIMDA VIRUS

Poster rated this answer

Collapse -

NIMDA VIRUS

by lmcdonald In reply to NIMDA VIRUS

This question was closed by the author

Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums