RE: Nimda issue

[Matthew Healy]

The home page of http://www.sophos.com/ has Nimda info all over it, including a free removal tool.   I haven't tried it myself, so can't indicate either way to it effectiveness.       -----Original Message----- From: James Costa [mailto:[EMAIL PROTECTED]] Sent: Monday, 24 September 2001 17:00 To: NT System Admin Issues Subject: Nimda issue Hi guys. I’m new to this list.  Was wondering if anyone had a problem getting rid of the Nimda virus?  I use InoculateIT from Computer Associates as my virus scanner, with newest virus update.  I think I have a pretty secure machine, but that’s only an opinion.  I speculate I was infected thru IIS, as I did not have any email with the readme.exe file, and I have already patched the MIME header problem.  Anyways, I noticed through my firewall that TFTP.EXE (Trivial FTP) was trying to gain access to the internet, about 32 times in the middle of the night in fact.  I did not give it explicit access, so it’s basically in my machine and can’t get out, if it’s even still on here.  I noticed, however, from my firewall logs, that TFTP.EXE was trying to connect to local DSL routers, and all IP’s that it was trying to connect to had the same first two octets, and always tried to connect from port 69.  I speculate this is the Nimda virus, from the way it is randomly scanning for more computers to infect.  TFTP.EXE is a listening app, I believe, that waits for a signal from RIS from a remote machine to re-install windows.  Has anyone had this similar problem?  Maybe I am not clear enough, do I need to specify something?  Maybe I am just a monkey and you guys don’t want to hear about my problems?  Well, I appreciate any attention in advance, and if this isn’t appropriate for this list, do not hesitate to let me know.  Thanks.   James Costa   http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm