viruses..

[Phanataz]

in Zonealarm ive been getting alot of requests from port 80 from intruders.. here is what they are sending me in the http requests:

GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

GET /MSADC/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

I typed in the IP of some of the attempts, just to see what it would happen. the page came up as a "under construction" page and it started downloading a file called readme.eml. When I scanned it, it has a W32.Nimda.enc virus.


Scary. Just going to a web site and your infected.

[StealthDP]

Don't do that!!!

Check out http://www.cert.org/advisories/CA-2001-26.html for info...

[Phanataz]

Granted, I realize it was a stupid idea to go to the web site. But now that I think about it, how can someone avoid going to a web site that is infected? What can I do to prevent IE from downloading this virus again? Always disable Javascript? Theres got to be a better alternative..

Anyway, im screwed now. I ran Norton AntiVirus with the latest updates..and it found and deleted all of the files. But now I can't boot up into windows again because some of the system files were infected and deleted.

I can't reinstall Windows. When I go to type in my serial number, windows won't take it. I've tried like 40 times to type it in in Win98 setup. No go.

So I deleted the windows folder. Still no go.. for some reason, windows setup will NOT take my serial number. I even have a setup script that has always worked before in installing windows..but even that gets stuck on the win98 serial # verification screen.

I'm totally f*Cked and can't back up my ****.. Eventally i'll be back up again, but not for awhile.. and how can i protect myself? I had IE 6 with the latest service packs..and I still got infected...

[Freakish]

Do you have an extra HD? You can back up whatever you want to keep (media..maybe installation files though they might be infected) there, format your system drive, and try a fresh install. It sucks exporting email addresses and accounts and such; but that ought to be the trickiest part (aside from copying the Desktop, Favorites, Documents folders). If you don't have an extra drive....I dunno..partition? I've never messed with those so that's just a stab in the dark. That's about all I can think of...Unless you can find a list of the specific system files that were ruined and then just get those straight from the CD..I'll look around for more info but that's it for now.

[Phanataz]

Thanks ...

Right now im just tryin to figure out why I cant re-install windows.. that scares me..

That and I dont know how to protect myself in the future. If you click on a link somewhere and it takes you to one of these sites, youre screwed.

I mean isnt anyone else concerned about that? Maybe theres an antidote for surfing on web sites and getting infected..but I havent seen the patch for that.

[Freakish]

At McAfee they link to a patch that supposedly removes the IE vulnerability to this virus (not the download part, but the execution of the hidden executable in the MIME document).

The McAfee page...
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&

Hmm..however, that patch is for IE 5 or 5.5, not applicable to 6. The McAfee page says NT/2k users can't be infected by visiting an infected webpage (like you did). Check out the page; they tell a lot about what it does, but in the end say you need McAfee to remove it..they apparently believe you can't remove it manually.

Yeah I'm worried about the IE vulnerability too..but I have the latest DAT updates so my virusscanner ought to catch it for me. Wish there was some way to protect IE without disabling javascript.

oh yeah..one final thing, mcafee said this is a medium threat because it's not that prevalent anymore..

[Phanataz]

Thanks again Freak.. The site was helpful..but still didnt put my mind at ease about surfing the internet. But I will try out those patches mentioned on the site.

Okay I figured out why my windows 98 wasnt taking my serial number. the setup files were on the harddrive at the time I got the virus. So, in DOS, i deleted them and copied my win98 CD over...replacing the setup files that were already there. Then when I ran setup, it took my serial number!

Damn, the virus must have infected my .CAB files or setup.exe.

How messed up is that?

[Phanataz]

BTW: does this virus just infect IE while browsing infected sites? I was wondering if netscape would be a better choice of browsers...

[HortonsWho]

Phan--

Sorry for your troubles. My LIMITED experience reminds me that you have to initiate some sort of action to activate a script or download to infect a file.

M$ product continues to leave holes for clever hackers:

EDIT: Links that were here were broken

good luck--

[MadMikey]

IE 5.5 SP2 and later is not susceptible to the Nimda worm.

[Creeper]

I have the answer Phan!

Get Stealth and Masterba(cough)Mikey to get a pr0n section.. that way we'd never need to go to 'other' websites anyway! One stop shopping anyone?

[BamBam]

Cause then the chubby lil monk would be walkin around with a circus tent for a robe.. hehe.. A little one but still.. Whoops, promised not to tell.. Where's my eraser..

[Phanataz]

horton.. those links didnt work....? and all i did was go to a web site..a window appeared, disappeared, and boom.. i had a virus in my window/temp folder. i did a virus scan. and found more files to be infected..including some windows system files, apparently

mikey.. i had ie 6 with all of the updates i could find... and i still got screwed. i dont even use outlook.

it seems like maybe W32.Nimda.enc is a new variant of the virus?

[HortonsWho]

Sorry about those links-- they were working but now won't go through. at m$.com under support, IE 6, search "virus" and there is some info about browser susceptibility and a couple of patches. This does not address Nimbda.

Info from Symantec. Any help?

http://securityresponse.symantec.com...imda.e@mm.html

[Phanataz]

Horton : Roger that. That gives me a little more info.

I also went to micrsoft.com as you suggested. It's really strange, because as MM said earlier, microsoft says IE 5.5. /w SP2 and later should not be effected by this virus.. ..but I was. ( i have IE6)

Well, I have bought and put Norton Antivirus 2000 on. I was using some older version but using the virus defination updates. I've scanned everything from top to bottom. I appear to be virus-free..

Still need to put everything back on like UT. What a mess. If anything.. maybe someone will read this thread and learn from it. Hope everyone who reads this will be more aware of this virus.