Micro$oft has been so kind as to let us know how to do an IIS lockdown for the first time in the history of the software. I STRONGLY RECOMMEND THAT YOU DOWNLOAD ALL OF THE SOFTWARE ON THIS PAGE, AS IS APPORPRIATE FOR YOUR SYSTEM.
CRITICAL READING:
Central Command
Symantec
McAfee
Sophos
They have info on removing the virus and more specific info on what the virus actually is.
Here's my news post regarding Nimda on September 18:
Oh, yes, I'm having lots of fun. We (the ISP where I work) were hit today by a new virus named Nimda.
It's a nasty little bugger. Hacks into IIS and uploads a propogation program. Isn't that nice? It propogated across several million computers and servers in one day.
Check your C drive for a share setting. Open My Computer and right-click C:. Click "sharing..." MAKE SURE ALL SHARES AND WEBSHARES ARE OFF.
Open the C:, D:, and E: drives (if you have them) and look for admin.dll. If you have it, you're infected. The best way to keep IIS from propgating it (or to prevent further infection) is to open %systemroot\system32\drivers\etc\services and change the following line:
tftp 69/udp
to:
tftp 0/udp
Install all of the servicepacks and updates for your OS. Get a good anti-virus program installed and update to the latest definitions or check the anti-virus sites for hotfixes. here's the big 3:
Sophos
McAfee
Symantec
There should be links to the latest info on the virus on the front pages.
To stop the MIME vulnerability in Outlook Express and Internet Explorer, create a file named eml.reg or something and put the following text in the file:
REGEDIT4
[HKEY_CLASSES_ROOT\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="text/plain"
Execute the reg file and IE5.0 and 5.5 and Outlook express won't be affected by the malicious .eml file that the worm attatches to the end of web pages. NOTE: this may affect Outlook since the .eml is an extension used for mail stores. Use at your own risk.
