Once it gets going, the virus is pretty good at clogging up your network,
too. I won't name names, but at least one company in the area has pretty
much been shut down for the last couple days, while they try to clean
everyone's machines.

Some of Nimda's other interesting "features":
- Infect .exe, .asp, .htm, .html, and files named index, default, main.
- Obtain email addresses from address book and web pages.
- Create hidden file shares to all your local drives, and remove share
security (NT/2000).
- Create guest accounts.
- Active searching and infection of other machines (therefore clogging your
network).

You can find out more on your own. Anyway, McAfee has a free command-line
utility to specifically eliminate Nimda from a Windows machine, and also
nuke the hidden file shares created by the critter. You do not need to own
or have installed any of their products to use this utility. You can find
the utility (and perhaps more information than you ever wanted to know) at
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&&cid=2444

Lee Behrens

<originalmessage>

From: Shawn Fertch <fertch at mninter.net>
Date: Wed, 19 Sep 2001 14:46:33 -0500
Subject: [TCLUG] New virus info I think

Just found this today on one of my systems with samba running...

If someone is mapped to a samba share and they are infected with the "code 
blue" or nimba virus I think it's called, it will fill the file system with
a 
pe000##.eml file in every directory.  Currently I'm writing a script to
clean 
out the system of these and greping for the readme.exe when doing a strings 
against the file.

My scripting sucks, but I'll get it done sometime....

</orginalmessage>