HI,
First diable TFTP by changing the line tftp 69/udp to tftp 0/udp in
services file located drivers\etc to avoids the spreading of virus .
> ----------
> From: James Costa[SMTP:[EMAIL PROTECTED]]
> Reply To: NT System Admin Issues
> Sent: Monday, September 24, 2001 12:30 PM
> To: NT System Admin Issues
> Subject: Nimda issue
>
> Hi guys.
> I'm new to this list. Was wondering if anyone had a problem getting rid
> of the Nimda virus? I use InoculateIT from Computer Associates as my
> virus scanner, with newest virus update. I think I have a pretty secure
> machine, but that's only an opinion. I speculate I was infected thru IIS,
> as I did not have any email with the readme.exe file, and I have already
> patched the MIME header problem. Anyways, I noticed through my firewall
> that TFTP.EXE (Trivial FTP) was trying to gain access to the internet,
> about 32 times in the middle of the night in fact. I did not give it
> explicit access, so it's basically in my machine and can't get out, if
> it's even still on here. I noticed, however, from my firewall logs, that
> TFTP.EXE was trying to connect to local DSL routers, and all IP's that it
> was trying to connect to had the same first two octets, and always tried
> to connect from port 69. I speculate this is the Nimda virus, from the
> way it is randomly scanning for more computers to infect. TFTP.EXE is a
> listening app, I believe, that waits for a signal from RIS from a remote
> machine to re-install windows. Has anyone had this similar problem?
> Maybe I am not clear enough, do I need to specify something? Maybe I am
> just a monkey and you guys don't want to hear about my problems? Well, I
> appreciate any attention in advance, and if this isn't appropriate for
> this list, do not hesitate to let me know. Thanks.
>
> James Costa
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
