Cleaning Nimda and identifying .eml file

The Nimda virus has infected my network. Norton Antivirus states that it only is placing the file in quarantine...

and not cleaning the virus. I also get numerous files with the same name and the suffix .eml on all of my servers. Is there any way I can trace where the virus is coming from? How do I get rid of it completely?

I feel your pain. Here are a few points first before I answer:

  • Antivirus should be running on all desktops and servers with logging.
  • Both desktop and server installs should be locked to only your specifications.
  • These installs should report all viruses to the main console or site.
  • Company policy should dictate no use of removalable media from outside the copmany without first scanning them.
  • Viruses should be deleted!!! Yes, delete them as to NOT spread them.
  • If these procedures were in place, you would know when and if a virus hit your network. The logging/alerts would be sent to you, then you would know where they are arriving into your network.

    Okay, now lets see if I can answer you:

  • Change the Norton configuration to "delete" all viruses and clean. Change every desktop and server in the company, no matter the length of time to accomlish this. I know one company that did all 10,000 desktops and servers in a weekend simply becuase they did not have remote management. It was that important due to loss of hours and data.

  • Check the patch levels of all Microsoft Devices (OS, ISS, SQL, Exhcange). Microsoft reports that if all your systems are patched, Nimda should die quickly.

  • Your .eml problem may be an Aliases problem related to the following: Klaz (F-Secure), TROJ_KLEZ.C (Trend), W32.Klez.D@mm (NAV), W32/Klez (Panda), W32/Klez.a@MM, W32/Klez.b@MM, W32/Klez.eml, W32/Klez@MM, Win32.Klez.D@mm (AVX)

  • Check www.mcafee.com for references to each of these. Here are specific instructions from McAfee:

    Removing the .eml threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.

    Infected systems must:
    - Apply the patches
    - Close any network shares prior to cleaning
    - Exit any running applications
    - Stop a running IIS server
    - Scan and clean each drive
    - Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.

  • You may need to accomplish furhter work on the .eml issue. It may not or may be Nimda related. Since I do not have first hand access to your systems and have not see the logs or reports, I can only assume facts.

    Good luck!!

  • This was last published in March 2002

    Dig Deeper on Malware, Viruses, Trojans and Spyware



    Find more PRO+ content and other member only offers, here.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: