Date: Tue, 25 Sep 2001 09:05:35 -0700
Reply-To: Todd Francis <tbf@PACIFIER.COM>
Sender: Vanagon Mailing List <vanagon@gerry.vanagon.com>
From: Todd Francis <tbf@PACIFIER.COM>
Subject: Re: VIRUS ADVICE!!!
Content-Type: text/plain; charset="iso-8859-1"
>I follow this advice and have had no viruses on my PC yet in over 5 year:
>DO NOT EXECUTE ANY ATTACHMENTS FROM ANY SOURCE. Attachments ending in EXE
>are especially dangerous. Any other attachments, such as documents or
>spreadsheets can contain dangerous macros, so I always verify with the
>person who sent the attachment over the phone or via another email message.
>
>When you get an email message with a questionable attachment, do not panic,
>do not execute it, do not click on the attachments. Just DELETE THE
>MESSAGE. No harm done.
>
>I am sure other folks can add to this to help inform and educate all of us.
Of course this is good advise but I understand that some of the new viruses
can be activated by just opening the message. You do not have to open the
attachment!! Following is a message about this that came from our local
school district about the matter. Todd
Summary:
1. Remove all Microsoft IIS or Personal Web Services if you are not
using it. (If you are using it, UPDATE IT WITH THE SECURITY PATCHES!)
2. UPDATE Internet Explorer to IE 5.01 SP2 or better. (Don't install IE
6.0 on any PC's here yet. IE 5.01 SP2 or IE 5.5 are
ok for now.)
3. Don't browse the Internet or check e-mail while logged in as
administrator! This virus/worm will take advantage of your admin rights
to load the virus/worm onto the servers, and to change permissions on
the Guest accounts.
Detail:
The Nimda Internet worm is making it's way around the Internet very
quickly. I already know of 3 other school organizations that have been
infected with this virus in County. The problem with this worm is
that it spreads via 4 separate methods, so people who aren't vulnerable
in one area, may contract it because they are vulnerable in another.
According to Symantec, this virus/worm will replaces multiple files,
degrade performance, share the C drive over the network, and use your
computer to send out many e-mails of the virus/worm to other potential
victims.
The 4 methods that this worm uses to spread are:
1. It scans the Internet looking for vulnerable Microsoft Internet
Information Services (IIS) servers.
Vulnerable versions are IIS 4 & 5 that have not been patched. IIS is
loaded by default on Windows 2000. It is optional on Windows NT, 98SE,
and ME. So if you have Windows 2000 you need to remove IIS, or patch it!
If you have NT check the version of IIS. If you have 98SE or ME, make
sure that you did not install "Personal Web Services" (PWS) This is a
"lite" version of IIS that is still vulnerable. When in doubt, run
windowsupdate.microsoft.com and get the security patches.
2. It also sends mass e-mail with the attachment, "readme.ex".
If you open that e-mail in Outlook or Outlook Express it will
automatically open the attachment. Make sure that Outlook or Outlook
Express are patched if you use them. Also turn off the auto-preview or
auto-download features. This is the exact reason that we use Netscape
Messenger instead of Outlook!
3. Nimda looks for open network shares.
If you get the virus, it will check to see if you have any access to the
servers, and it will copy the worm to the available folders on the
server. Because of this, you may end up with the virus because of
someone else who was careless. If you see any suspicious virus like
activity on your computer, let me know IMMEDIATELY!! If we can take care
of this virus when it's small, it will prevent many other users from
getting the virus/worm.
4. The fourth method of infection is a malicios javascript program on
infected websites.
You may get a message that pops up and asks you if you want to download
a program called "readme.ex". (I'm leaving the 2nd "e" off so that this
e-mail isn't blocked. :) If you say "Yes" than it will infect your
computer. This is similar to #2 on this list, but it uses the web
instead of e-mail. If you use Internet Explorer as your browser you MUST
upgrade to version 5.01 SP 2 or better. IE 5.5 and 6.0 are patched
against this type of worm. But, if you use IE, patch your browser on a
regular basis! This isn't the first time this year that this has
happened.
Conclusion:
Finally, if you are concerned about your computer, go to Symantec's
website and use their free tools to diagnose your PC. ( www.symantec.com
) Better be safe than sorry. And if you find any infections let me know.
We have Norton AntiVirus on most PC's at the High School, but sometimes
you can't trust it. The PC may have been infected before the update was
applied. And sometimes, the user cancels the virus check, which may
allow the virus past.