Cleaning Nimda and identifying .eml file
The Nimda virus has infected my network. Norton Antivirus states that it only is placing the file in quarantine and not cleaning the virus. I also get numerous files with the same name and the suffix .eml on all of my servers. Is there any way I can trace where the virus is coming from? How do I get rid of it completely?
I feel your pain. Here are a few points first before I answer:
Antivirus should be running on all desktops and servers with logging.
Both desktop and server installs should be locked to only your
These installs should report all viruses to the main console or site.
Company policy should dictate no use of removalable media from outside
the copmany without first scanning them.
Viruses should be deleted!!! Yes, delete them as to NOT spread them.
If these procedures were in place, you would know when and if a virus hit your network. The logging/alerts would be sent to you, then you would know where they are arriving into your network.
Okay, now lets see if I can answer you:
Change the Norton configuration to "delete" all viruses and clean. Change
every desktop and server in the company, no matter the length of time to
accomlish this. I know one company that did all 10,000 desktops and servers in a weekend simply becuase they did not have remote management. It was that
important due to loss of hours and data.
Check the patch levels of all Microsoft Devices (OS, ISS, SQL,
Exhcange). Microsoft reports that if all your systems are patched, Nimda
should die quickly.
Your .eml problem may be an Aliases problem related to the following:
Klaz (F-Secure), TROJ_KLEZ.C (Trend), W32.Klez.D@mm (NAV), W32/Klez (Panda), W32/Klez.a@MM, W32/Klez.b@MM, W32/Klez.eml, W32/Klez@MM, Win32.Klez.D@mm (AVX)
Check www.mcafee.com for references to each of these.
Here are specific instructions from McAfee:
Removing the .eml threat requires patching vulnerable systems, disabling
network shares, and using the latest DAT files. It can not be removed
Infected systems must:
You may need to accomplish furhter work on the .eml issue. It may not or
may be Nimda related. Since I do not have first hand access to your systems
and have not see the logs or reports, I can only assume facts.
- Apply the patches
- Close any network shares prior to cleaning
- Exit any running applications
- Stop a running IIS server
- Scan and clean each drive
- Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the
virus and deleted by the scanner.
This was first published in March 2002