Hi

i have this win2k Box,
Whenever the IIS service is enabled within say 20-30 minutes NAV 2001 detects nimda in c:\inetpub\scripts\TFTP2011 or something

Each time virus is detedted only in files which are in c:\inetpub\scripts

In fact these files are generated.

It does not catch any other file ,

If iis Service stopped and these files deleted (tftp*.* ) then Nav shows no virus

Again when IIS service is started within sometime the TFTP file come up in the folder from nowhere and is picked up by NAV

Can anything be done about it (Besides keeping IIS service closed)

Regards

You need to apply the cumulative IIS patch to your server. It's not protected from Nimda (which is what you are seeing). http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

Mike,

You just solved my problem :)
I have noticed that you are good at windows issues

Thank you very much

Regards,

Thanks :) Glad it helped!

Hi,

I also have the same problem on my win2k web server. Will applying the Cummulative Patch for IIS, remove the virus?

What precaution should be taken, while applying the patch from remote location.

Thanks
UKA

No, applying the cumulative patch will only prevent you from getting/spreading the virus once your system has been cleaned.

If you have been infected, there are several tools availaible to help clean your system but we always recommend a reinstall.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/redfix.asp

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Hope that helps!

Also make sure that when you are cleaning the virus your IIS service is shut down

put the patch while the iis service is down and only after that you should start the service,

Regards