Problem solve Get help with specific problems with your technologies, process and projects.

Cleaning Nimda and identifying .eml file

The Nimda virus has infected my network. Norton Antivirus states that it only is placing the file in quarantine and not cleaning the virus. I also get numerous files with the same name and the suffix .eml on all of my servers. Is there any way I can trace where the virus is coming from? How do I get rid of it completely?

I feel your pain. Here are a few points first before I answer:

  • Antivirus should be running on all desktops and servers with logging.
  • Both desktop and server installs should be locked to only your specifications.
  • These installs should report all viruses to the main console or site.
  • Company policy should dictate no use of removalable media from outside the copmany without first scanning them.
  • Viruses should be deleted!!! Yes, delete them as to NOT spread them.
  • If these procedures were in place, you would know when and if a virus hit your network. The logging/alerts would be sent to you, then you would know where they are arriving into your network.

    Okay, now lets see if I can answer you:

  • Change the Norton configuration to "delete" all viruses and clean. Change every desktop and server in the company, no matter the length of time to accomlish this. I know one company that did all 10,000 desktops and servers in a weekend simply becuase they did not have remote management. It was that important due to loss of hours and data.

  • Check the patch levels of all Microsoft Devices (OS, ISS, SQL, Exhcange). Microsoft reports that if all your systems are patched, Nimda should die quickly.

  • Your .eml problem may be an Aliases problem related to the following: Klaz (F-Secure), TROJ_KLEZ.C (Trend), W32.Klez.D@mm (NAV), W32/Klez (Panda), W32/Klez.a@MM, W32/Klez.b@MM, W32/Klez.eml, W32/Klez@MM, Win32.Klez.D@mm (AVX)

  • Check www.mcafee.com for references to each of these. Here are specific instructions from McAfee:

    Removing the .eml threat requires patching vulnerable systems, disabling network shares, and using the latest DAT files. It can not be removed manually.

    Infected systems must:
    - Apply the patches
    - Close any network shares prior to cleaning
    - Exit any running applications
    - Stop a running IIS server
    - Scan and clean each drive
    - Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner.

  • You may need to accomplish furhter work on the .eml issue. It may not or may be Nimda related. Since I do not have first hand access to your systems and have not see the logs or reports, I can only assume facts.

    Good luck!!

  • This was last published in March 2002

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.