Re: Nimda issue
Try this instead... http://www.grisoft.com/html/us_index.html - Original Message - From: James Costa To: NT System Admin Issues Sent: Monday, September 24, 2001 2:00 AM Subject: Nimda issue Hi guys. I’m new to this list. Was wondering if anyone had a problem getting rid of the Nimda virus? I use InoculateIT from Computer Associates as my virus scanner, with newest virus update. I think I have a pretty secure machine, but that’s only an opinion. I speculate I was infected thru IIS, as I did not have any email with the readme.exe file, and I have already patched the MIME header problem. Anyways, I noticed through my firewall that TFTP.EXE (Trivial FTP) was trying to gain access to the internet, about 32 times in the middle of the night in fact. I did not give it explicit access, so it’s basically in my machine and can’t get out, if it’s even still on here. I noticed, however, from my firewall logs, that TFTP.EXE was trying to connect to local DSL routers, and all IP’s that it was trying to connect to had the same first two octets, and always tried to connect from port 69. I speculate this is the Nimda virus, from the way it is randomly scanning for more computers to infect. TFTP.EXE is a listening app, I believe, that waits for a signal from RIS from a remote machine to re-install windows. Has anyone had this similar problem? Maybe I am not clear enough, do I need to specify something? Maybe I am just a monkey and you guys don’t want to hear about my problems? Well, I appreciate any attention in advance, and if this isn’t appropriate for this list, do not hesitate to let me know. Thanks. James Costa http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda issue
Also take a look at http://www.incidents.org/react/nimda.php <http://www.incidents.org/react/nimda.php> for detailed analysis. -Original Message- From: Matthew Healy [mailto:[EMAIL PROTECTED]] Sent: 24 September 2001 09:36 To: NT System Admin Issues Subject: RE: Nimda issue The home page of http://www.sophos.com/ <http://www.sophos.com/> has Nimda info all over it, including a free removal tool. I haven't tried it myself, so can't indicate either way to it effectiveness. -Original Message- From: James Costa [mailto:[EMAIL PROTECTED]] Sent: Monday, 24 September 2001 17:00 To: NT System Admin Issues Subject: Nimda issue Hi guys. I'm new to this list. Was wondering if anyone had a problem getting rid of the Nimda virus? I use InoculateIT from Computer Associates as my virus scanner, with newest virus update. I think I have a pretty secure machine, but that's only an opinion. I speculate I was infected thru IIS, as I did not have any email with the readme.exe file, and I have already patched the MIME header problem. Anyways, I noticed through my firewall that TFTP.EXE (Trivial FTP) was trying to gain access to the internet, about 32 times in the middle of the night in fact. I did not give it explicit access, so it's basically in my machine and can't get out, if it's even still on here. I noticed, however, from my firewall logs, that TFTP.EXE was trying to connect to local DSL routers, and all IP's that it was trying to connect to had the same first two octets, and always tried to connect from port 69. I speculate this is the Nimda virus, from the way it is randomly scanning for more computers to infect. TFTP.EXE is a listening app, I believe, that waits for a signal from RIS from a remote machine to re-install windows. Has anyone had this similar problem? Maybe I am not clear enough, do I need to specify something? Maybe I am just a monkey and you guys don't want to hear about my problems? Well, I appreciate any attention in advance, and if this isn't appropriate for this list, do not hesitate to let me know. Thanks. James Costa http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda issue
The home page of http://www.sophos.com/ has Nimda info all over it, including a free removal tool. I haven't tried it myself, so can't indicate either way to it effectiveness. -Original Message-From: James Costa [mailto:[EMAIL PROTECTED]]Sent: Monday, 24 September 2001 17:00To: NT System Admin IssuesSubject: Nimda issue Hi guys. I’m new to this list. Was wondering if anyone had a problem getting rid of the Nimda virus? I use InoculateIT from Computer Associates as my virus scanner, with newest virus update. I think I have a pretty secure machine, but that’s only an opinion. I speculate I was infected thru IIS, as I did not have any email with the readme.exe file, and I have already patched the MIME header problem. Anyways, I noticed through my firewall that TFTP.EXE (Trivial FTP) was trying to gain access to the internet, about 32 times in the middle of the night in fact. I did not give it explicit access, so it’s basically in my machine and can’t get out, if it’s even still on here. I noticed, however, from my firewall logs, that TFTP.EXE was trying to connect to local DSL routers, and all IP’s that it was trying to connect to had the same first two octets, and always tried to connect from port 69. I speculate this is the Nimda virus, from the way it is randomly scanning for more computers to infect. TFTP.EXE is a listening app, I believe, that waits for a signal from RIS from a remote machine to re-install windows. Has anyone had this similar problem? Maybe I am not clear enough, do I need to specify something? Maybe I am just a monkey and you guys don’t want to hear about my problems? Well, I appreciate any attention in advance, and if this isn’t appropriate for this list, do not hesitate to let me know. Thanks. James Costa http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda issue
HI, First diable TFTP by changing the line tftp 69/udp to tftp 0/udp in services file located drivers\etc to avoids the spreading of virus . > -- > From: James Costa[SMTP:[EMAIL PROTECTED]] > Reply To: NT System Admin Issues > Sent: Monday, September 24, 2001 12:30 PM > To: NT System Admin Issues > Subject: Nimda issue > > Hi guys. > I'm new to this list. Was wondering if anyone had a problem getting rid > of the Nimda virus? I use InoculateIT from Computer Associates as my > virus scanner, with newest virus update. I think I have a pretty secure > machine, but that's only an opinion. I speculate I was infected thru IIS, > as I did not have any email with the readme.exe file, and I have already > patched the MIME header problem. Anyways, I noticed through my firewall > that TFTP.EXE (Trivial FTP) was trying to gain access to the internet, > about 32 times in the middle of the night in fact. I did not give it > explicit access, so it's basically in my machine and can't get out, if > it's even still on here. I noticed, however, from my firewall logs, that > TFTP.EXE was trying to connect to local DSL routers, and all IP's that it > was trying to connect to had the same first two octets, and always tried > to connect from port 69. I speculate this is the Nimda virus, from the > way it is randomly scanning for more computers to infect. TFTP.EXE is a > listening app, I believe, that waits for a signal from RIS from a remote > machine to re-install windows. Has anyone had this similar problem? > Maybe I am not clear enough, do I need to specify something? Maybe I am > just a monkey and you guys don't want to hear about my problems? Well, I > appreciate any attention in advance, and if this isn't appropriate for > this list, do not hesitate to let me know. Thanks. > > James Costa > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm > > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm