Nimda and samba, chap II (20010531?)

[Chip Mefford <cmefford () avwashington com>]

Well, it's been a few hours now
that I have been messing with it. 
It isn't all that easy to clean up, even
with the new definition tables, F-prot
linux scanner will report clean with
clearly infected .eml(s) laying everywhere.
Norton isn't much better running over
a mounted drive from a win2K box.

RAV antivirus is about the only
scanner i've found thusfar that
has the horsepower to clean this
thing up.

If you had an infected host connected
to your samba server, you have
infected files in every directory
writable by the user on that host.
These files are probably .dll(s) and
.eml(s) but i have seen other 
extentions like .wml 

Also, the file names seem to be
datasource*.eml but they may also
be 20010531.eml (it's that old!)
or they may be random strings of
integers with a .eml or .wml 
extension. 

And they will be EVERYWHERE possible.

This thing isn't fun. 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com