Catdog02 0 Posted May 27, 2002 Not strictly an "application" I know, but I wanted this to get noticed, and I suspect there is a trojan involved - which IS technically an program... I have a recurring virus on an NT 4.0 server. Every couple of days I'm finding a w32 Nimda virus has found its way into C, the virus is undetected by Mcaffee corporate, until the scanner is run, the system is cleaned, no (apparent) harm done. meaning that the antivirus can see the virus - which is now an old, outdated strain. We have a very effective security policy implememnted, I'd rather not publish the specific details, but there is an effective firewall and port 25 traffic is routed to an email scanner, which automatically deletes anything it doesn't like the look of. All the systems are updated with the newest updates on a regular basis, and the firewall ports are kept to a minium number open - 80, 21 etc Any sugestions on what to look for? The NT system is bare minimum, with only a handful of applications installed. The virus itself is the type that modifies the guest account, giving it Domain admin privelleges, we don't use the guest account here either. I'm confident of the security regarding traffic coming in from the internet, and I suspect that possibly the RAS is to blame. Still if anyone has had a similar problem, I'd love to hear about it. Share this post Link to post
Xiven 0 Posted May 27, 2002 As far as I can recall, Nimda spreads by 3 methods: e-mails, open network shares and by exploiting a flaw in IIS (which only requires port 80). You seem to have the e-mail one covered, so check that all your IIS servers are fully patched, and check that the infected machines don't have any world-writable shares. Share this post Link to post
Sampson 0 Posted May 27, 2002 If you have the nimda virus, it is the devil to root out, most particularly if you are using Office apps since it corrupts or exchanges its .dlls. Here are three places you might want to read further on it: http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html http://www.sophos.com/support/faqs/nimda.html Share this post Link to post
clutch 1 Posted May 27, 2002 Have you applied the IIS patches? The Novell admin for a sister company that I work with kept having the same type of issue with CodeRed2, and what was happening is that she would apply the patch while the system was online with the Internet (hosted Outlook Web Access and Exchange) and would then reboot. Well, it would always reinfect the box since it was never cleared from memory. I went out there and took the box offline from the firewall (no Internet access, and no local systems were trying to infect it), rebooted it, and then applied the patches and rebooted it. Once that was done, I installed and configured URLScan and there hasn't been an issue since for her. Share this post Link to post
