RE: Nofer.c Virus on exchange
- From: "Stephen Hartley" <support@xxxxxxxxxxxxxxxxx>
- To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
- Date: Tue, 1 Jul 2003 09:21:53 +1000
When you cleaned all machines, were they still physically connected to
the network? Did you shut them down totally (remove power lead) after
cleaning and leave off network until all machines were cleaned? Did you
rescan them before putting them back on the network?
I thought that was overkill until a client got Nimda last year and it
took me 30 hours to clean from two servers & 15 workstations. Then when
all was apparently clean, I tested a backup. Fortunately I was on the
phone chatting in front of the server watching the backup (yeah I know -
more productive watching paint dry!) but I saw a bunch of disk activity
when files that had been archived were backed up. Stopped backup &
scanned & there was Nimda again! Took 90 secs to reinfect all machines
on the network. Another 26 hour cleanup, using a different tool and
removal of the entire offending folder!
Lesson that I learnt - don't trust any antivirus product that does not
strip suspect files from e-mails. Have been using eScan since, without a
single infection. www.mwti.com <http://www.mwti.com/> . Also they have
a good cleaning tool here
ftp://ftp.microworldsystems.com/download/tools/mwav.exe
Stephen Hartley
-----Original Message-----
From: Syed Muqeemuddin [mailto:smuqeem@xxxxxxxxxxx]
Sent: Tuesday, July 01, 2003 2:17 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Nofer.c Virus on exchange
http://www.MSExchange.org/
Yeah, that's right. All machines cleaned, every single workstation
scanned and cleaned .. all registries removed.
But still the same behaviour... all mails stop for a while... and then
suddenly everything comes back.
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, June 30, 2003 6:19 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Nofer.c Virus on exchange
http://www.MSExchange.org/
I take it you mean that the virus was removed and all the registry
entries mentioned, were removed, on every mail enabled workstation in
your organization.
Steve
_____
From: Syed Muqeemuddin
Sent: Mon 6/30/2003 3:40 PM
To: [ExchangeList]
Subject: [exchangelist] Nofer.c Virus on exchange
http://www.MSExchange.org/
Hi All,
We have been struck by the Nofer.c virus, it gets detected by Norton,
but
nothing happens beyond that.
RAV antivirus detects it and we can delete it.. but after a few hours
there
are a lot of mails beoing replicated again.
My collegue removed the registry entries as mentioned by trend and RAv
and
Sophos .. but still nothing.. it keeps coming back... is there some way
I
can get rid of it without having to re-install the server.
Regards
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
steve@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
smuqeem@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
exchlist@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
_____
This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions disclaims any liability for any action
taken in connection of this E-Mail. The comments or statements expressed
in this E-Mail are not necessarily those of Optimum IT Solutions or its
subsidiaries or affiliates.
<mailto:administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx>
administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx
_____
Other related posts:
