Once it gets going, the virus is pretty good at clogging up your network, too. I won't name names, but at least one company in the area has pretty much been shut down for the last couple days, while they try to clean everyone's machines. Some of Nimda's other interesting "features": - Infect .exe, .asp, .htm, .html, and files named index, default, main. - Obtain email addresses from address book and web pages. - Create hidden file shares to all your local drives, and remove share security (NT/2000). - Create guest accounts. - Active searching and infection of other machines (therefore clogging your network). You can find out more on your own. Anyway, McAfee has a free command-line utility to specifically eliminate Nimda from a Windows machine, and also nuke the hidden file shares created by the critter. You do not need to own or have installed any of their products to use this utility. You can find the utility (and perhaps more information than you ever wanted to know) at http://vil.mcafee.com/dispVirus.asp?virus_k=99209&&cid=2444 Lee Behrens <originalmessage> From: Shawn Fertch <fertch at mninter.net> Date: Wed, 19 Sep 2001 14:46:33 -0500 Subject: [TCLUG] New virus info I think Just found this today on one of my systems with samba running... If someone is mapped to a samba share and they are infected with the "code blue" or nimba virus I think it's called, it will fill the file system with a pe000##.eml file in every directory. Currently I'm writing a script to clean out the system of these and greping for the readme.exe when doing a strings against the file. My scripting sucks, but I'll get it done sometime.... </orginalmessage>