Well, like many companies, we were hit today by the Nimda.A virus.

If anybody out there has been successful in containing and protecting against this virus, I would very much appreciate any advice you pass on.

There's info here:
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml

The best protection is to avoid running the EXE email attachment to begin with. I haven't seen details on exactly what the worm is exploiting in IIS and whether a patch will be forthcoming from Microsoft.

The server portion of the virus exploits the old Unicode Directory Traversal Vulnerability, which should have been patched long ago. Here's more information (but no solution) from ZDNet, Lethal worm spells double trouble (http://www.zdnet.com/zdfeeds/msncobrand/news/0%2C13622%2C5097089%2C-hud00025nshm3%2C00.html).

Search your system root folder (usually c:\) for a file called admin.dll. (Note: this file may also appear in other directories, so look for one specifically in your system folder.)

If you find admin.dll in your system root folder, you're infected.

I haven't seen anything internally about a solution yet.

I find this difficult to believe, but out MIS folks told us to turn off the AutoPreview in Outlook. This virus can run itself in the preview pane.

Arghh! The one thing I liked about Outlook -- autopreview -- and I cannot use it anymore!

Keith, this makes my BS detector go off, too. Is there any evidence, other than what Keith's IT people say, that Outlook's AutoPreview can execute attachments? This would be an unbelievably large security hole, even for a Microsoft product.

BTW, I use Outlook at work, and I'm still looking for something kind to say about it.

Well, McAfee says:
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&

Note the part about propagating "on access without users knowledge." That seems to imply that it works on preview, since it is a sound file spoof, I guess I can believe that.

I caught Nimda today, coinkydinkally I noticed it right after viewing this thread. Here's a rundown of the hurdles I had ta go through to clean up. For primer info, I've got 2 computers networked together, each with their own cable modem connection; both are running Win98 SE.

1. First noticed an oddity on the desktops on both PC's. Two new files popped up spontaneously - extention .eml (saved EMail message). Their filenames were copied from gif image files in My Documents. Luckily I had just read the links that micco had posted, so I knew not to doubleclick the files to open them (supermegathanks micco!)

2. I hit Norton's antivirus page for the cure, but apparently it was still being worked on at their apothecary.

3. Here's the damage done by the virus for me:
Thousands of .eml and .nws (EMail and News files for Outlook) files were created, one or more in each folder on both computers.
Files named mep*.tmp.exe were put into c:\windows\temp\.
File c:\windows\system.ini was changed. The line shell = explorer.exe changed to shell = explorer.exe load.exe -dontrunold.
File c:\windows\system\load.exe was created.
File readme.exe created somewhere in the Temporary Internet Files folder.
File c:\windows\wininit.ini hacked to execute mep*.tmp.exe files on next startup.
Files riched20.dll created in several folders.
Drive sharing permissions on all drives set to Full access.
I didn't get the file admin.dll though - I'm guessing that it only nails webservers with that one.

4. I disconnected both cable modems and severed the network connection between the 2 computers. Then I dropped to DOS, unhacked system.ini; then deleted wininit.ini, load.exe, all mep*.tmp.exe files, and rebooted into Windows safe mode.

5. Searched for all .eml, .nws, riched20.dll, and readme.exe files, and deleted them. Changed drive sharing specs back to password protection & rebooted each computer.

6. Reconnected computers to their cable modems, but left the network connection off. By then, the new virus definitions were available. Scanning each comp for viruses came up with over 4000 more .eml and .nws files. Totally boggled me how the virus could restart itself after I cut its roots, but then I noticed that I missed a few of the .eml files. The search routine skipped c:\windows\start menu\startup\*.eml, as well as Network Neighborhood :confused:

7. Repeated steps 4, 5, and 6 (including re-checking virus definitions). Downloaded Microsoft's spackle for the security hole, and so far as I can tell I'm clean now.

http://www.microsoft.com/downloads/ has patches for IE, which will (or should, anyway) also fix the breach in Outlook Express. On my computer I installed IE 6.0; my wife just wanted IE 5.5's spacklepack. I think it's listed as Internet Explorer 5.5 Service Pack 2.

Altogether about 8 hours wasted, between searching for virus info, deleting & re-deleting files that wouldn't stop reappearing, 3 full system scans at highest security, and many reboots. If I ever bump into the guy that made this, I'm gonna get Mord'Sith on 'em :mad:

Originally posted by KeithB
I find this difficult to believe, but out MIS folks told us to turn off the AutoPreview in Outlook. This virus can run itself in the preview pane.

Arghh! The one thing I liked about Outlook -- autopreview -- and I cannot use it anymore!

Huh.

I just checked to see if someone had responded to my post in this thread, and notice my post from ten minutes ago didn't take.

Somewhere out there, I have a post floating around.

I try it again-

I too like the AutoPreview funtion in Outlook. After reading about future virus's ability to run in the preview pane, I went in to disable it.

Now I know this thing is somewhere in Outlook, but for the life of me, I can't find it.

Where are you disabling AutoPreview?

Thanks.

Originally posted by CurtC
Keith, this makes my BS detector go off, too. Is there any evidence, other than what Keith's IT people say, that Outlook's AutoPreview can execute attachments? This would be an unbelievably large security hole, even for a Microsoft product.

On the contrary, this seems pretty obvious to me. I don't use Outlook (because of the myriad holes, cracks, blunders, and failings) so I'm not familiar with this specific functionality. However it makes sense to me that if you "preview" something, the computer has to do pretty much the same thing you do when you open the file, it's just displaying it differently, kind of like a thumbnail. Perhaps these documents actually save a separate preview image, much like some image formats save a thumbnail. However, this seems unlikely in general and I suspect that Outlook is simply opening the file and displaying it in a preview window instead of in the native app.

To disable AutoPreview for a particular folder, highlight it, then click View, AutoPreview. I don't think this does every folder, and I'm not sure how to do that, but I think your Inbox folder is the most important one to do.

The McAfee site about this worm says "simply visiting a web site that is compromised can infect your computer." I guess this is if you're using IE. Talk about a security hole!

micco wrote:
However it makes sense to me that if you "preview" something, the computer has to do pretty much the same thing you do when you open the file, it's just displaying it differently, kind of like a thumbnail.

But that's not what AutoPreview does. It simply displays the first few lines of the text part of the message, just below the subject line, in the message list pane. It does this only for unread messages. It's not a bad feature, but I don't use it because the previews take up too much screen real estate. It's not supposed to open any attachments.

For quite a while, I've been telling people that you can't get infected with a worm or a virus just by reading the text part of a message, without deliberately opening an attachment. I'll have to modify my spiel with the disclaimer "unless you're using a Microsoft product."

Hmmm... I don't see it, Curt.

When I right click Inbox, I get 'open' 'find' and 'properties', but I don't get 'view'. As a matter of fact, I don't see where, anywhere, that it's an option.

And for the record, it's version 5.5.

I know I had to inable this once, but that was a while ago. Since then, I've updated and patched the thing as warnings came out from MS.

I think it's previewing, because pictures will auto-load, but .exe's don't. For .exe's and attachments, I normally have to go in and physically tell Outlook to run it (I never do, but it's the option).

Am I on the same page as everyone else on the preview thing? Or am I thinking of something else?

Originally posted by CurtC
But that's not what AutoPreview does. It simply displays the first few lines of the text part of the message, just below the subject line, in the message list pane.

Thanks for the correction. I incorrectly assumed it was previewing attachments, not message body. As you note, this is still a vulnerability since Outlook will process whatever malicious script the sender has embedded in the HTML body, but you get that if you open the message anyway.

Will Outlook let you turn off HTML/script in the body and just view plain text? Eudora won't, which is one of my peeves with my client-of-choice. Eudora will let you strip HTML from outgoing mail (so you don't end up sending markup in replies and forwards), but it won't let you strip it from incoming which is where the real vulnerability lies.

Cnote:

It is in the main menu bar: File, Edit, View...

If you are using 2000 you may need to hold over the double arrow at the bottom to make all the not-recently-used menu items show up. There is also no indication whether preview is on or off, you just select the menu item and it toggles. (I think something like the Amiga's checkmarks would be good here.)

I've got 3 "admin.dll"'s and they have Modified Dates of 11/12/96 and 5-30-01. Two of them are in C:\WEBSHARE\WWWROOT\_vti_bin\vti_adm. The other is in the Microsoft FrontPage folder.

Aren't they supposed to be there?

Originally posted by KeithB
It is in the main menu bar: File, Edit, View...

I'm sorry Keith, I know you're trying to help, but I don't have that as an option.

I've highlighted Outlook Express, Local Folders, and Inbox, but none give me the options you're describing. Even right-clicking doesn't bring up any of those options.

Honestly, I'm looking everywhere, but I can't find any reference to AutoPreview, or something similar.

I appreciate the reply, however.

"If I ever bump into the guy that made this, I'm gonna get Mord'Sith on 'em." (Xixox)


Man i love the reference to Mord'Sith...i can think of a bunch of people that need this treatment :)

As to the question of the preview pane starting a virus on its course...I find it hard to believe as the preview will not actually execute a file....but i could be wrong....has happened before.

CnoteChris, you're apparently using Outlook Express, which is completely different from Outlook. It's unfortunate that MS chose such similar names, because the products are so different. Outlook Express comes with Internet Explorer, but Outlook is sold by MS for real money.

Originally posted by CnoteChris
Originally posted by KeithB
It is in the main menu bar: File, Edit, View...

I'm sorry Keith, I know you're trying to help, but I don't have that as an option.

I've highlighted Outlook Express, Local Folders, and Inbox, but none give me the options you're describing. Even right-clicking doesn't bring up any of those options.

Honestly, I'm looking everywhere, but I can't find any reference to AutoPreview, or something similar.

I appreciate the reply, however.

Cnote,
In my Outlook, I bring down the "View" pulldown, and there's a button for AutoPreview. I know you said you don't have that option, but I thought maybe you were mixing the earlier suggestion of right-clicking on individual folders up with this solution. Sorry if this was not the case.

-j

Here's the straight dope on Nimda (Admin backwards) from Symantec (http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html). This worm/virus doesn't need e-mail. You can possibly get it from any IIS server under certain circumstances.

Can I join in on the beating when they find whoever did it? I just had to clean 3 infections of my company's network and clear off all the nimda-spam from our networked drives. Irritating. 8 hours down the freaking tubes.

CnoteChris, if you are using Outlook Express, it is called "preview pane". I turned it off a long time ago. Open Outlook Express, on the very top is the main menu bar with File, Edit, View, Tools, Menu, Help. Click on "view", then choose "layout" and look halfway down. Uncheck the box that says "view preview pane".

That should do it.

Originally posted by Boscibo
That should do it.

Thank you! It did.

Why are you turning off the preview pane? Won't you still have to look at the e-mail (unless you are going to delete unread mail).

Wouldn't it be easier just to download IE 6 which I understand doesn't have the vulnerability?

Cicero, by turning off the preview pane I can delete the email without having to open it, or taking the chance of a "bad" email accidentally opening. In my case, I get a lot of email I am not interested in reading (not spam, but some other sales stuff, I am interested in a very small percent of the stuff for sale), and I can scan subject lines and open and read only the ones I choose to and delete the rest. I am using IE 6, it still has the preview pane viewable by default. Using the preview pane automatically opens the last email, I don't want *any* of my email automatically opening.

Glad it worked for you Cnote.

You can right click the e-mail and click Properties. Then click the Details tab. Finally, click Message Source.... This gives you a plain ANSI dump of the file, so you can read whatever's in it without opening it. Edlyn and I view all our e-mail this way, even if we know whom it is from. Yes, it's a lot of trouble, but worth it, in our view.

Originally posted by Dooku
Search your system root folder (usually c:\) for a file called admin.dll. (Note: this file may also appear in other directories, so look for one specifically in your system folder.)

If you find admin.dll in your system root folder, you're infected.

I haven't seen anything internally about a solution yet.

I didn't find a single file with that name, so does that mean I'm not infected?

I have a lot of questions, because the updates and information sites are very confusing to me. SHOULD I download the patch-I had to junk the anti-virus software, because it kept fucking up my computer.

Originally posted by Boscibo
Cicero, by turning off the preview pane I can delete the email without having to open it, or taking the chance of a "bad" email accidentally opening. In my case, I get a lot of email I am not interested in reading (not spam, but some other sales stuff, I am interested in a very small percent of the stuff for sale), and I can scan subject lines and open and read only the ones I choose to and delete the rest. I am using IE 6, it still has the preview pane viewable by default. Using the preview pane automatically opens the last email, I don't want *any* of my email automatically opening.

Glad it worked for you Cnote.

As the content of most messages needs to be viewed to establish whether or not they are worthwhile, disabling the preview pane has little merit. It is (in my view) far better to ensure your anti virus gear is up to date and you have installed the required patch.

To clean the virus go here http://www.quickheal.com/nimda.htm
:p

Cicero, I do indeed keep my anti-virus program updated. In my case though, I can usually tell if I want to read an email soley from the subject line, or by the sender. I save a lot of time by deleting about half the stuff I get. I don't need or want to open these, so they go bye-bye. The preview pane is a waste of time and space in my case, and I personally have no use for it. YMMV.

Isn't Express the FREE version of MS Outlook. That is why it isn't as good.

Our company sent out a patch and the patch was buggy. So thus I infected my computer by running this buggy thing.

Some of the files it was duping looked pretty interesting. I don't have outlook express. If I did could I have read these?

Originally posted by Libertarian
Edlyn and I view all our e-mail this way, even if we know whom it is from. Yes, it's a lot of trouble, but worth it, in our view.

And somebody had the nerve to call me paranoid. -smile-

Like Boscibo, the e-mail I get is mostly from people I know. The -knock on wood- few outside emails I get I want to delete without even looking at them, or having them even load onto my system.

To me, it just isn't worth it to open anything I don't recognize.

Does this virus thing affect Hotmail accounts? They have a McAfee virus detector/fixer thing as part of it but I was just wondering because as soon as you open an e-mail with a pic as an attachment you get to see the pic. I never open any .exe files regardless of who sent them in any case but from what I've been reading here you can catch it without doing this. I have never used Outlook so I don't how it works.

Originally posted by CnoteChris


Like Boscibo, the e-mail I get is mostly from people I know. The -knock on wood- few outside emails I get I want to delete without even looking at them, or having them even load onto my system.

To me, it just isn't worth it to open anything I don't recognize. [/B]

But the problem is that you will get e-mail viruses from people you know. And lets not forget e-mails are only one vector for viruses anyway.
:)

FYI, the definitive, detailed info on the effects of nimda as a whole is at http://www.incidents.org where they are tracking its spread and the level of network disruption. Threat level is currently Yellow Alert, and I expect it to go Orange Alert at any moment, just like it did when Code Red hit. When the threat level hits Red, the whole internet is dead.

Markxxx wrote:
Isn't Express the FREE version of MS Outlook. That is why it isn't as good.

They're actually completely different, separate programs.

Outlook can handle e-mail as well as contacts, appointments, and tasks. It can be "automated" by an external program that communicates with Outlook through Windows calls. People in a workgroup can access shared folders and calendars.

Outlook Express does e-mail as well as newsgroups (Outlook can't access newsgroups). No contacts, calendar, sharing, etc.

The programs look and feel as if they were written by two different companies, in different countries.

Originally posted by Cicero
But the problem is that you will get e-mail viruses from people you know.

Tell me about it. Two days ago I had to put a good friend of mine from childhood on my 'Block Sender' list.

I haven't had the heart to explain to him yet why I did it.

I did it because he seems to forward every piece of e-mail to me that he gets. Everything.

Somehow I think he thinks he's being helpful, but all it does it make me loose respect for him each time I open up a new message from him- "Bulletin. E-mail this to everyone. Tonight we need to show Ohsamma Binn Laudin our resolve. Walk out at midnight and light a candle. A satellite will be watching and sending him.... on and on and on."

Sigh.

So I put him on my blocked list.

CurtC-

Just a small point, but using Outlook Express, I do have contacts in OE.

As a matter of fact, I prefer OE to regular 'ol Outlook (I used it at an office job about two years ago). For me, I like the streamlined nature of OE.

Outlook and Outlook Express are completely different. OE is part of Internet Explorer and displays HTML just like IE and suffers from the same characteristics. When you preview an HTML email you are just displaying HTML just like a web page.

In OE click tools / options / connections / internet connection settings change / security / and put OE in "restricted sites" (or whichever you want) to prevent it from running applets etc. Remember, OE is just an extension of IE.
Microsoft Security Bulletin (MS01-020) ("http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp) and patch which covers this hole were published back in March... it seems people have not installed it.

It seems 6the hole is present only in IE 5.01 and 5.5. I have IE 5.00 so I should be safe.

Outlook and Outlook Express are completely different. OE is part of Internet Explorer and displays HTML just like IE and suffers from the same characteristics. When you preview an HTML email you are just displaying HTML just like a web page.

In OE click tools / options / connections / internet connection settings change / security / and put OE in "restricted sites" (or whichever you want) to prevent it from running applets etc. Remember, OE is just an extension of IE.
Microsoft Security Bulletin (MS01-020) (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp) and patch which covers this hole were published back in March... it seems people have not installed it.

It seems 6the hole is present only in IE 5.01 and 5.5. I have IE 5.00 so I should be safe.

Will do, sailor.

Thanks.

How do I figure out which version of IE I have?

>> How do I figure out which version of IE I have?

Just like with any WIn program: on the top menu click help / about.

I figured that out right after I got my post here-d'oh!

Silly me. I have 5.5...I'm still so confused though...

- Install the patch for this hole
- Configure OE to not run scripts as explained above
- Don't "open" executable attachments
- Eat lots of vegetables and fiber
- Floss often
- Don't drink and drive
- etc

Thanks, Sailor. Do I just download it into my Windows folder?

One thing I have read is that this specific virus - nimda.a - does not affect Internet Explorer 6. I have been running IE 6 since it was released a few weeks ago, and have had no problems with this version so far (other than the quicktime thing, but there's a patch for that). It might be a good time to upgrade now, if you were thinking about it already.

I believe this virus exploits that hole mentioned which exists *only* in the two versions mentioned of IE/OE and would not affect earlier or later versions. For those two versions there has been a patch for quite a while ... the problem is most people do not keep their patches up to date.

Guinastasia, I have not installed any patches in a while now but I assume if you just click on the link you should get the necessary directions on how to do it. If you have to download and run a file, then I would put it in the TEMP folder and you can delete it once it has installed the patch. It really should be pretty simple.

Thanks.

I'm sorry to keep bugging you guys, but I am just so CLUELESS when it comes to this sort of thing. And the information pages don't help much.

I searched for the Admin thing, and didn't find it, so I'm ASSUMING I don't have it...yet.

BUT, if I download this patch, will it prevent the virus from happening, or if the virus is secretly there, will it fix it?

Okay,
I downloaded the patch. Before I did so, I checked BOTH my C AND D drives for the admin file and did not find a thing.

When I went to INSTALL the patch, it told me device does not need to be installed on this system, or something like that...huh?

Originally posted by Guinastasia
I searched for the Admin thing, and didn't find it, so I'm ASSUMING I don't have it...yet.

BUT, if I download this patch, will it prevent the virus from happening, or if the virus is secretly there, will it fix it?

The admin.dll file will only show up in root directories of your hard drive partitions (C:\, D:\, E:\, etc...) and should only show up if you are running an IIS web server. Any other admin.dll files (if any are present) are likely legitimate files.

Regarding the patch for Internet Explorer 5.x, it just patches a security hole in the web browser that allowed things to automatically download and run in the background without asking the user first. If you're already infected, patching won't clean up or stop the virus.

For most workstations (Windows 95, 98, ME, NT 4, 2000), the telltale signs of a Nimda infection are the presence of a load.exe file in your C:\Windows\System directory (load.exe will be a hidden file), the calling of load.exe in the System.Ini in your C:\Windows folder (the line in System.ini will read: shell=Explorer.exe load.exe -dontrunold), and the presence of a large number of files with EML and NWS extensions.

Various antivirus software vendors have released free utilities that will detect Nimda on your system, and eradicate the virus if it is found. Symantec's can found be here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

NAI/McAfee's is here:

http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#NimdaScn

I did the system.ini thing, and it worked. I didn't have the dontrun thing in Shell. Whew!!!

Once again, thank you for being so patient with me-when it comes to Viruses, I'm EXTREMELY ignorant.

Originally posted by Guinastasia
I did the system.ini thing, and it worked. I didn't have the dontrun thing in Shell. Whew!!!

Once again, thank you for being so patient with me-when it comes to Viruses, I'm EXTREMELY ignorant.

You shouldn't have to do anything to your system.ini. The line should just say "shell=explorer.exe". The "load.exe -dontrunold" is something that the virus puts there! If you don't have that, it means you don't have the virus.

Exactly. I meant, I ran system.ini, to check, and didn't have it.

I have the patch, and feel much better now.

Originally posted by Guinastasia
Exactly. I meant, I ran system.ini, to check, and didn't have it.

I have the patch, and feel much better now.

Glad to hear it - carry on :)

Don't want to start another thread so I'll ask here.

First of all I HATE THIS THING!!!

OK

After spending Two days battling it I think I have got it under control. I am a systems analyst not a computer MIS person but I am all the company has got at the moment.

I have upgraded all the Computers to the second version of IE 5.5 I have downloaded the patch from MacAfee.

I have done the system.ini to make sure the script is correct so I don't get that load error.

I have enabled all the MacAfee scans and I noticed the scans if I try to go into an infected file will catch it.

Our network drives have been scanned.

Now is this the end. Our company recently cut back people to 32 hours and laid people off due to the economy so we don't have an MIS guy full time only on call once a week.

Is this enuff? The thing that concerns me is I have scanned all the drives I know and STILL when I run my computer it will come up with the bug being shaken. So that must mean it is somewhere right?
I am able to delete it immediately and my compuer runs fine except for the occasional bug comes up and I delete.


Our company stopped our internet so no one has it. So we can't be getting it there.

We still are getting email thru corporate.

The MIS guy comes in next week.
To fix it right but any other ideas or should this hold it?

Thanks

Thanks Sailor- that was very helpful. As regards versions of IE, if you go here it will tell you what patches are available for your version. It will also enable you to update to IE 6- I've been using it since it was a beta version some months back and I have had no problems (which is unusual). Also, it is worthwhile to enable "critical updates" so you are advised when a patch is available.

:wally

Markxxx...

Here's what I did.

McAfee has a fix that you can put on a floppy. You can find a link to it on their main page. That was easier than doing a whole virus scan because it only searches for that.

I told everyone to go to lunch for about an hour. I first ran the patches for IIS. I disconnected all their computers from the network, disconnected the servers from the network and shut down the internet. That way, I had 9 independent machines with no connection to each other. I ran that fix on each machine at the same time, it took about 15 minutes. I ran it again, just to be sure. Then I plugged the servers back into the network. Did a check on those. Plugged the PCs back to the network, had everybody log in, and checked again. I waited about 30 minutes and no one had it, so I turned the internet back on.


You may be making the mistake I made, I kept the computers connected while scanning and fixing and it would just reappear. I would disconnect everyone from the network, then scan and fix. Only connect everyone once you are sure they all are free.

And heres the site I forgot to include : http://windowsupdate.microsoft.com/

As I have said in the past, I have never used antivirus software (they seem to cause more trouble than they're worth) and I have *never* had a virus infection.

- I never run anything I receive unless I know exactly what I am doing. If in doubt I will email it to myself at hotmail which scans for viruses.

- I have closed my ports and configured the bindings as explained in Shields Up: http://grc.com/default.htm

- I have uninstalled Windows Scripting Host
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000050512031906
http://www.datafellows.com/virus-info/u-vbs/uninstall-vbs.html

- I have configured IE/OE to limit activeX and scripts, very specially in emails where *everything* is disabled.

I realise when you have several people sharing computers it is more difficult to maintain discipline but I do not have this problem as i am the only one who uses it. Never had a virus problem.

How to Disable Active Scripting in Outlook Express:
http://www.microsoft.com/technet/support/kb.asp?ID=192846