Hi, I hope this is the correct contact for this kind of thing. I've just had somebody drop Nimda viruses on my Windows XP Pro workstation from Korea. Here's how it happened. I had a Windows share on a FAT32 drive, which granted read/write to Everybody (I know, bad practice, but it was just a temporary "Incoming" directory from a file swap session with a friend a few nights ago). I noticed my modem lights going, even though I was not downloading anything at the time. At that moment, Norton Antivirus started popping up warnings about Nimda viruses in .EML files in the shared directory. I suspected my friend's files had come with a little extra bonus, so went to check the directory myself. I couldn't find more than one .EML file at a time (as NAV kept moving them to quarantine), but new ones kept arriving. That's when I clicked as to what was happening, and ran netstat from a DOS window. Netstat revealed an ESTABLISHED connection from a host in Korea to the microsoft-ds service on my machine. It also showed a TIME_WAIT connection to windowsupdate.microsoft.com, although I had not been to that site - possibly unrelated, as Windows does tend to phone home a bit. Anyway, I promptly stopped sharing the directory, and disconnected from the Internet, reconnecting in order to get a new IP. I then checked my network configuration, and double checked that Client for Microsoft Networks was not bound to my modem, which indeed it wasn't. Now I don't run the XP firewall for my dialup connection, but how is it that a connection can be made to a service that is not bound to the dialup adapter? Is this a hole? Can you guys perhaps replicate the condition and see if it is? My machine has all the current critical updates applied from Windows update. Any other information you might need, I will try to supply.
This archive was generated by hypermail 2b30 : Tue Dec 25 2001 - 09:33:34 PST