Re: Virus

["John McManus" <john.mcmanus@xxxxxxx>]

I am in a difficult position as my virus scanner (NAV2001) does not show
that I am infected, but the Zone Alarm Pro firewall suddenly (Wednesday)
started asking if I want to allow TFTP (trivial file transfer protocol) to
connect to the internet.  I have also run a couple of the 'cleaner'
programs
for Nimda virus... they too say I am not infected.

Since I am not aware of any apps on the server that need to use TFTP (and
the addresses that it is going to are other BT Internet ones), I guess I
need to assume that I am infected with something and reformat /
re-install... a real PITA.

Any thoughts would be appreciated.
----- Original Message -----
From: "Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>
To: <ukha_d@xxxxxxx>
Sent: Saturday, September 22, 2001 7:42 PM
Subject: RE: [ukha_d] Virus


> Thanks Keith,
>
> I am using Norton AntiVirus 2001 recently bought, I used its own virus
scan
> routine, is there a better way?
>
> All the infected files were deleted.
> I do use it's auto update and do it manually as well.
>
> Thanks for the info.
>
> B.
> > -----Original Message-----
> > From: Keith Doxey [mailto:ukha@xxxxxxx]
> > Sent: 22 September 2001 19:00
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Virus
> >
> >
> > Thats probably it.
> >
> > How did you run yor virus scan?
> > We ran it Windows "Find Files" containing the text
"whatever you care to
> > put" so that it was forced to open everyfile on the machine,
at which
time
> > the AV software should find the infected files.
> >
> > Make sure you keep your anti virus software upto date.
> >
> > At work we use VirusScan TC from McAfee.
> > The Dat file was at version 4158 at the beginning of the week and
by
> > yesterday had reached 4162.
> >
> > At home I use eTrust EZ Antivirus. Its Dat file has gone from
> > 1491 on Monday
> > to 1512 yesterday.
> >
> > One of the worst things about Nimda is that YOU dont have to do
> > anything to
> > catch it. I have no doubt that there will be several more viruses
> > that mimic
> > the HTML method employed by Nimda, namely using Javascript to
Pop-Up a
> > window at coordinates that wont show on the screen and then try
to do
> > malicious things to your machine. Disabling Javascript would stop
that
but
> > would also stop many reputable web pages from working and I
> > believe most, if
> > not all eCommerce sites would be less than useless if you didnt
support
> > Javascript.
> >
> > Once again a few idiots spoiling things for the majority :-(
> >
> > Keith
> >
> > > -----Original Message-----
> > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx]
> > > Sent: 22 September 2001 15:33
> > > To: ukha_d@xxxxxxx
> > > Subject: RE: [ukha_d] Virus
> > >
> > >
> > > Thanks Keith, I should have known that :-(
> > >
> > > All .eml deleted.
> > >
> > > I have run the virus scan again and it does not find any
mere
> > > does that mean
> > > all is ok again?
> > > Never had a virus before not sure when to trust it again!
> > >
> > > I have already read the threads, I have re-SP2'd and another
MS patch
> > > q301625_w2k_sp3_x86_en.exe
> > > Anything else or can I now breathe again!!
> > >
> > > Thanks,
> > >
> > > B.
> > >
> > > > -----Original Message-----
> > > > From: Keith Doxey [mailto:ukha@xxxxxxx]
> > > > Sent: 22 September 2001 15:07
> > > > To: ukha_d@xxxxxxx
> > > > Subject: RE: [ukha_d] Virus
> > > >
> > > >
> > > > *.eml are email messages but the ones that hyou have
found
> > will be loads
> > > > with the same file size and datestamp.
> > > >
> > > > THEY ARE INFECTED WITH THE VIRUS ..... DELETE THEM.
> > > >
> > > > It also puts some codew in any HTML or ASP files it
finds that
> > > will infect
> > > > any other PC viewing the pages.
> > > >
> > > > Read the previous threads from when Graham was battling
to
> > remove Nimda.
> > > >
> > > > Keith
> > > >
> > > > > -----Original Message-----
> > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx]
> > > > > Sent: 22 September 2001 14:04
> > > > > To: UKHA Group
> > > > > Subject: [ukha_d] Virus
> > > > >
> > > > >
> > > > > What are .eml files?
> > > > > I assume something to do with the web/html/IE?
> > > > > It seems that these were the most attacked, I have
> > > > "quarantined" them but
> > > > > not sure if I can delete them?
> > > > >
> > > > > Another PC has also been infected but this time is
seems mostly
> > > > > Psion files
> > > > > so I have deleted them! subtle.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > B.
> > > > >
> > > > >
> > > > >
> > > > > For more information: http://www.automatedhome.co.uk
> > > > > Post message: ukha_d@xxxxxxx
> > > > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > > > List owner:  ukha_d-owner@xxxxxxx
> > > > >
> > > > > Your use of Yahoo! Groups is subject to
> > > http://docs.yahoo.com/info/terms/
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > List owner:  ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> >
> >
> >
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>