Well, like many companies, we were hit today by the Nimda.A virus.
If anybody out there has been successful in containing and protecting against this virus, I would very much appreciate any advice you pass on.
There’s info here:
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
The best protection is to avoid running the EXE email attachment to begin with. I haven’t seen details on exactly what the worm is exploiting in IIS and whether a patch will be forthcoming from Microsoft.
The server portion of the virus exploits the old Unicode Directory Traversal Vulnerability, which should have been patched long ago. Here’s more information (but no solution) from ZDNet, Lethal worm spells double trouble.
Search your system root folder (usually c:) for a file called admin.dll. (Note: this file may also appear in other directories, so look for one specifically in your system folder.)
If you find admin.dll in your system root folder, you’re infected.
I haven’t seen anything internally about a solution yet.
I find this difficult to believe, but out MIS folks told us to turn off the AutoPreview in Outlook. This virus can run itself in the preview pane.
Arghh! The one thing I liked about Outlook – autopreview – and I cannot use it anymore!
Keith, this makes my BS detector go off, too. Is there any evidence, other than what Keith’s IT people say, that Outlook’s AutoPreview can execute attachments? This would be an unbelievably large security hole, even for a Microsoft product.
BTW, I use Outlook at work, and I’m still looking for something kind to say about it.
Well, McAfee says:
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
Note the part about propagating “on access without users knowledge.” That seems to imply that it works on preview, since it is a sound file spoof, I guess I can believe that.
I caught Nimda today, coinkydinkally I noticed it right after viewing this thread. Here’s a rundown of the hurdles I had ta go through to clean up. For primer info, I’ve got 2 computers networked together, each with their own cable modem connection; both are running Win98 SE.
-
First noticed an oddity on the desktops on both PC’s. Two new files popped up spontaneously - extention .eml (saved EMail message). Their filenames were copied from gif image files in My Documents. Luckily I had just read the links that micco had posted, so I knew not to doubleclick the files to open them (supermegathanks micco!)
-
I hit Norton’s antivirus page for the cure, but apparently it was still being worked on at their apothecary.
-
Here’s the damage done by the virus for me:
Thousands of .eml and .nws (EMail and News files for Outlook) files were created, one or more in each folder on both computers.
Files named mep.tmp.exe* were put into *c:\windows emp*.
File c:\windows\system.ini was changed. The line
shell = explorer.exe
changed to
shell = explorer.exe load.exe -dontrunold
.
File c:\windows\system\load.exe was created.
File readme.exe created somewhere in the Temporary Internet Files folder.
File c:\windows\wininit.ini hacked to execute mep.tmp.exe* files on next startup.
Files riched20.dll created in several folders.
Drive sharing permissions on all drives set to Full access.
I didn’t get the file admin.dll though - I’m guessing that it only nails webservers with that one.
-
I disconnected both cable modems and severed the network connection between the 2 computers. Then I dropped to DOS, unhacked system.ini; then deleted wininit.ini, load.exe, all mep.tmp.exe* files, and rebooted into Windows safe mode.
-
Searched for all .eml, .nws, riched20.dll, and readme.exe files, and deleted them. Changed drive sharing specs back to password protection & rebooted each computer.
-
Reconnected computers to their cable modems, but left the network connection off. By then, the new virus definitions were available. Scanning each comp for viruses came up with over 4000 more .eml and .nws files. Totally boggled me how the virus could restart itself after I cut its roots, but then I noticed that I missed a few of the .eml files. The search routine skipped c:\windows\start menu\startup*.eml, as well as Network Neighborhood
-
Repeated steps 4, 5, and 6 (including re-checking virus definitions). Downloaded Microsoft’s spackle for the security hole, and so far as I can tell I’m clean now.
http://www.microsoft.com/downloads/ has patches for IE, which will (or should, anyway) also fix the breach in Outlook Express. On my computer I installed IE 6.0; my wife just wanted IE 5.5’s spacklepack. I think it’s listed as Internet Explorer 5.5 Service Pack 2.
Altogether about 8 hours wasted, between searching for virus info, deleting & re-deleting files that wouldn’t stop reappearing, 3 full system scans at highest security, and many reboots. If I ever bump into the guy that made this, I’m gonna get Mord’Sith on 'em :mad:
Huh.
I just checked to see if someone had responded to my post in this thread, and notice my post from ten minutes ago didn’t take.
Somewhere out there, I have a post floating around.
I try it again-
I too like the AutoPreview funtion in Outlook. After reading about future virus’s ability to run in the preview pane, I went in to disable it.
Now I know this thing is somewhere in Outlook, but for the life of me, I can’t find it.
Where are you disabling AutoPreview?
Thanks.
On the contrary, this seems pretty obvious to me. I don’t use Outlook (because of the myriad holes, cracks, blunders, and failings) so I’m not familiar with this specific functionality. However it makes sense to me that if you “preview” something, the computer has to do pretty much the same thing you do when you open the file, it’s just displaying it differently, kind of like a thumbnail. Perhaps these documents actually save a separate preview image, much like some image formats save a thumbnail. However, this seems unlikely in general and I suspect that Outlook is simply opening the file and displaying it in a preview window instead of in the native app.
To disable AutoPreview for a particular folder, highlight it, then click View, AutoPreview. I don’t think this does every folder, and I’m not sure how to do that, but I think your Inbox folder is the most important one to do.
The McAfee site about this worm says “simply visiting a web site that is compromised can infect your computer.” I guess this is if you’re using IE. Talk about a security hole!
micco wrote:
But that’s not what AutoPreview does. It simply displays the first few lines of the text part of the message, just below the subject line, in the message list pane. It does this only for unread messages. It’s not a bad feature, but I don’t use it because the previews take up too much screen real estate. It’s not supposed to open any attachments.
For quite a while, I’ve been telling people that you can’t get infected with a worm or a virus just by reading the text part of a message, without deliberately opening an attachment. I’ll have to modify my spiel with the disclaimer “unless you’re using a Microsoft product.”
Hmmm… I don’t see it, Curt.
When I right click Inbox, I get ‘open’ ‘find’ and ‘properties’, but I don’t get ‘view’. As a matter of fact, I don’t see where, anywhere, that it’s an option.
And for the record, it’s version 5.5.
I know I had to inable this once, but that was a while ago. Since then, I’ve updated and patched the thing as warnings came out from MS.
I think it’s previewing, because pictures will auto-load, but .exe’s don’t. For .exe’s and attachments, I normally have to go in and physically tell Outlook to run it (I never do, but it’s the option).
Am I on the same page as everyone else on the preview thing? Or am I thinking of something else?
Thanks for the correction. I incorrectly assumed it was previewing attachments, not message body. As you note, this is still a vulnerability since Outlook will process whatever malicious script the sender has embedded in the HTML body, but you get that if you open the message anyway.
Will Outlook let you turn off HTML/script in the body and just view plain text? Eudora won’t, which is one of my peeves with my client-of-choice. Eudora will let you strip HTML from outgoing mail (so you don’t end up sending markup in replies and forwards), but it won’t let you strip it from incoming which is where the real vulnerability lies.
Cnote:
It is in the main menu bar: File, Edit, View…
If you are using 2000 you may need to hold over the double arrow at the bottom to make all the not-recently-used menu items show up. There is also no indication whether preview is on or off, you just select the menu item and it toggles. (I think something like the Amiga’s checkmarks would be good here.)
I’ve got 3 “admin.dll”'s and they have Modified Dates of 11/12/96 and 5-30-01. Two of them are in C:\WEBSHARE\WWWROOT_vti_bin\vti_adm. The other is in the Microsoft FrontPage folder.
Aren’t they supposed to be there?
I’m sorry Keith, I know you’re trying to help, but I don’t have that as an option.
I’ve highlighted Outlook Express, Local Folders, and Inbox, but none give me the options you’re describing. Even right-clicking doesn’t bring up any of those options.
Honestly, I’m looking everywhere, but I can’t find any reference to AutoPreview, or something similar.
I appreciate the reply, however.
“If I ever bump into the guy that made this, I’m gonna get Mord’Sith on 'em.” (Xixox)
Man i love the reference to Mord’Sith…i can think of a bunch of people that need this treatment 
As to the question of the preview pane starting a virus on its course…I find it hard to believe as the preview will not actually execute a file…but i could be wrong…has happened before.
CnoteChris, you’re apparently using Outlook Express, which is completely different from Outlook. It’s unfortunate that MS chose such similar names, because the products are so different. Outlook Express comes with Internet Explorer, but Outlook is sold by MS for real money.
Cnote,
In my Outlook, I bring down the “View” pulldown, and there’s a button for AutoPreview. I know you said you don’t have that option, but I thought maybe you were mixing the earlier suggestion of right-clicking on individual folders up with this solution. Sorry if this was not the case.
-j