[THIN] Re: W32/Nachi.worm
- From: "Mack, Rick" <RMack@xxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Wed, 20 Aug 2003 20:00:46 +1000
Hi,
Just had a horror session with a customer with NT 4.0 TSE and the the
ms03-026 patch.
I've decided I'd reather risk the servers getting infected than have them
totally sick.
We still haven't patched all the desktops, but between "pslist" to find the
worm, "pskill" to kill any instances running and "psloggedon" to find out
who's infected, the whole thing was kept well under control. Full marks to
ww.sysinternals.com !
Until we patched the servers that is.
Tested the patch on a developmen box, but things held together fine until
the servers got a full user load. Then things got ugly. I know better than
to rush out patches in a hurry, but this was a special case. Boy was it
ever.
Ended up having to remotely back out ot the patch [cause couldn't log on]
using file rename/copy, setting all Citrix related services to manual,
rebooting, doing an Rmlocaldatabase repair followed by lhcbak. Then turning
everything back on worked.
Nothing like a late night and early morning to make you really appreciate
things. Disabled tftp client and locked the run key though.
I'd guess that Microsoft's excuse is that they probably didn't test the
patch with third party software like Metaframe. Sigh.....
Regards,
Rick
Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704
-----Original Message-----
From: Stage, Paul [mailto:p.stage@xxxxxxx]
Sent: Wednesday, 20 August 2003 4:32 AM
To: thin@xxxxxxxxxxxxx (E-mail)
Subject: [THIN] W32/Nachi.worm
We are really getting hit hard by this. We are running into instances of
our servers (Compaq, Win2k SP2) getting stuck in a reboot cycle after trying
to do the fix. We are following the instructions below per the article at
Network Associates Inc. <http://vil.nai.com/vil/content/v_100559.htm> When
you reboot the server, it gets to when it's about to bring up the login
screen and then it restarts. We have tried last known good config, stopping
services via recovery console, and trying the repair option with the Win2k
CD. Does anyone have any suggestions on how to resolve this? This is
affecting our SQL server as well as our print server. Any help would be
greatly appreciated. Oh yeah, and these are only the first few servers
we've patched. We have about 20 or so more to go. :-( And we also ran
Stinger (McAfee's auto removal Utility.)
1. Apply the MS03-026 patch
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS03-026.asp>
2. Terminate the following services:
1. WINS Client
2. Network Connections Sharing
3. Delete the DLLHOST.EXE and SVCHOST.EXE files from the WINS directory
with your WINDOWS SYSTEM32 directory. For example,
c:\winnt\system32\wins\svchost.exe.
Note: a legitimate system file exists with the filename DLLHOST.EXE, which
must not be deleted.
4. Edit the registry to:
o Delete the "RpcPatch" key from
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
o Delete the "RpcTftpd" key from
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Thanks,
Paul T. Stage, MCP, A+
Information Services
La Porte Hospital
Tel. (219) 326-1234 x7126
Fax (219) 325-6416
mailto:p.stage@xxxxxxx <mailto:p.stage@xxxxxxx>
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
--------------------------------------------------------------------------------------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege. It is intended solely for the addressee.
If you receive this e-mail by mistake please promptly inform us by reply
e-mail and then delete the e-mail and destroy any printed copy. You must
not disclose or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus free.
It may be a private
communication, and if so, does not represent the views of Volante group Limited.
Other related posts:
