Thanks all for the info. Situation however stays unclear. None of the files described by virus descriptions, as generated by viruses, exist on my PC in their expected locations as described.
Symantic utility fixNimda.com found no nimda virus on my machine. But something is happenning ! I do have ZoneAlarm on my PC and recall that at some stage I allowed tftp.exe to access internet. I cannot remember why I did it. I disabled it now and will watch what happens. These are few older records from ZoneAram log which I do not understand: type,date,time,source,destination,transport FWIN,2001/10/03,11:20:53 +10:00 GMT,205.188.153.98:4000,203.173.141.171:1238,UDP FWIN,2001/10/03,12:54:35 +10:00 GMT,203.173.177.17:3632,203.173.141.171:80,TCP (flags:S) FWIN,2001/10/03,13:56:55 +10:00 GMT,203.161.254.218:3530,203.173.141.171:80,TCP (flags:S) FWIN,2001/10/03,14:04:04 +10:00 GMT,203.199.92.172:2883,203.173.141.171:80,TCP (flags:S) FWIN,2001/10/03,15:03:49 +10:00 GMT,203.173.177.17:3386,203.173.141.171:80,TCP (flags:S) FWIN,2001/10/03,17:36:53 +10:00 GMT,203.173.177.17:4366,203.173.141.171:80,TCP (flags:S) FWIN,2001/10/03,17:44:15 +10:00 GMT,203.152.128.22:2693,203.173.141.171:80,TCP (flags:S) 203.173.141.171 was me. Any comments appreciated. The other thing. I do run IIS on my machine (purely for local work). It appears there is something happenning around it as well as per virus description. Like something is trying to get admin.dll down to me. It however seems to fail. I do not have admin.dll in any root directory (where it is supposed to be once downloaded by attacker/virus), also they say that when download suceeds - the code is 200. I see 500 (number after Admin.dll). Here are some of my records: #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2001-10-03 01:25:59 #Fields: time c-ip cs-method cs-uri-stem sc-status 01:25:59 203.173.177.17 GET /scripts/root.exe 404 01:26:02 203.173.177.17 GET /MSADC/root.exe 404 01:26:05 203.173.177.17 GET /c/winnt/system32/cmd.exe 404 01:26:09 203.173.177.17 GET /d/winnt/system32/cmd.exe 404 01:26:12 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200 01:27:01 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502 01:27:51 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502 01:27:54 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502 01:59:57 203.173.177.17 GET /scripts/root.exe 404 02:00:01 203.173.177.17 GET /MSADC/root.exe 404 02:00:08 203.173.177.17 GET /c/winnt/system32/cmd.exe 404 02:00:12 203.173.177.17 GET /d/winnt/system32/cmd.exe 404 02:00:17 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200 02:01:10 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502 02:01:13 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502 02:01:18 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 502 02:01:22 203.173.177.17 GET /scripts/..%5c../Admin.dll 500 02:01:27 203.173.177.17 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 200 02:01:29 203.173.177.17 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 502 02:01:35 203.173.177.17 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 502 02:01:38 203.173.177.17 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 502 02:01:41 203.173.177.17 GET /_vti_bin/..%5c../..%5c../..%5c../Admin.dll 500 etc. This kind of records started to appear about 2 weeks ago. I have applied patch for IIS today. Any comments are welcome. Regards Alex ----- Original Message ----- From: "Nello Sestini" <[EMAIL PROTECTED]> To: "Multiple recipients of list offtopic" <[EMAIL PROTECTED]> Sent: Wednesday, October 03, 2001 4:18 PM Subject: Re: [DUG-OFFTOPIC]: tftp.exe > to add confirmation to what others have already > suspected: > > http://www.cert.org/advisories/CA-2001-26.html > http://vil.mcafee.com/dispVirus.asp?virus_k=99209&&cid=2444 > > Nimda uses TFTP to download a trojan admin.dll file. > > good luck > > -ns > > ----- Original Message ----- > From: "Alex Kouznetsov" <[EMAIL PROTECTED]> > To: "Multiple recipients of list offtopic" <[EMAIL PROTECTED]> > Sent: Wednesday, October 03, 2001 9:13 AM > Subject: [DUG-OFFTOPIC]: tftp.exe > > > > Looking at W2K task manager, I noticed tftp.exe popping up within process > > list alongside with cmd.exe. After a while both disappear. > > > > Does anybody know what is happenning ? > > > > Alex > > > > > > -------------------------------------------------------------------------- > - > > New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] > > Website: http://www.delphi.org.nz > > To UnSub, send email to: [EMAIL PROTECTED] > > with body of "unsubscribe offtopic" > > Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/ > > > > -------------------------------------------------------------------------- - > New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] > Website: http://www.delphi.org.nz > To UnSub, send email to: [EMAIL PROTECTED] > with body of "unsubscribe offtopic" > Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/ > --------------------------------------------------------------------------- New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] Website: http://www.delphi.org.nz To UnSub, send email to: [EMAIL PROTECTED] with body of "unsubscribe offtopic" Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/
