Hi, Just had a horror session with a customer with NT 4.0 TSE and the the ms03-026 patch. I've decided I'd reather risk the servers getting infected than have them totally sick. We still haven't patched all the desktops, but between "pslist" to find the worm, "pskill" to kill any instances running and "psloggedon" to find out who's infected, the whole thing was kept well under control. Full marks to ww.sysinternals.com ! Until we patched the servers that is. Tested the patch on a developmen box, but things held together fine until the servers got a full user load. Then things got ugly. I know better than to rush out patches in a hurry, but this was a special case. Boy was it ever. Ended up having to remotely back out ot the patch [cause couldn't log on] using file rename/copy, setting all Citrix related services to manual, rebooting, doing an Rmlocaldatabase repair followed by lhcbak. Then turning everything back on worked. Nothing like a late night and early morning to make you really appreciate things. Disabled tftp client and locked the run key though. I'd guess that Microsoft's excuse is that they probably didn't test the patch with third party software like Metaframe. Sigh..... Regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Systems 18 Heussler Terrace, Milton 4064 Queensland Australia tel +61 7 32467704 -----Original Message----- From: Stage, Paul [mailto:p.stage@xxxxxxx] Sent: Wednesday, 20 August 2003 4:32 AM To: thin@xxxxxxxxxxxxx (E-mail) Subject: [THIN] W32/Nachi.worm We are really getting hit hard by this. We are running into instances of our servers (Compaq, Win2k SP2) getting stuck in a reboot cycle after trying to do the fix. We are following the instructions below per the article at Network Associates Inc. <http://vil.nai.com/vil/content/v_100559.htm> When you reboot the server, it gets to when it's about to bring up the login screen and then it restarts. We have tried last known good config, stopping services via recovery console, and trying the repair option with the Win2k CD. Does anyone have any suggestions on how to resolve this? This is affecting our SQL server as well as our print server. Any help would be greatly appreciated. Oh yeah, and these are only the first few servers we've patched. We have about 20 or so more to go. :-( And we also ran Stinger (McAfee's auto removal Utility.) 1. Apply the MS03-026 patch <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/MS03-026.asp> 2. Terminate the following services: 1. WINS Client 2. Network Connections Sharing 3. Delete the DLLHOST.EXE and SVCHOST.EXE files from the WINS directory with your WINDOWS SYSTEM32 directory. For example, c:\winnt\system32\wins\svchost.exe. Note: a legitimate system file exists with the filename DLLHOST.EXE, which must not be deleted. 4. Edit the registry to: o Delete the "RpcPatch" key from * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services o Delete the "RpcTftpd" key from * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Thanks, Paul T. Stage, MCP, A+ Information Services La Porte Hospital Tel. (219) 326-1234 x7126 Fax (219) 325-6416 mailto:p.stage@xxxxxxx <mailto:p.stage@xxxxxxx> ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm -------------------------------------------------------------------------------------------------------------------- The information contained in this e-mail is confidential and may be subject to legal professional privilege. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this email or any attachment or message is error or virus free. It may be a private communication, and if so, does not represent the views of Volante group Limited.