Wireshark · Ethereal-users: [Ethereal-users] Re: Detecting Nimda using Ethereal

[Richard Berry <berryr@xxxxxxxxxxxxxxxxxxx>]

In order to answer this, I'm going to assume that you're looking for 
infected machines within your environment. The Nimda virus itself can 
use multiple methods of transport, making external traffic hard to isolate.

The simplest way we've found to look for it is to look for TFTP on your 
network. Granted, that will get you some false positive's, but in most 
cases, TFTP is a pretty lightly-used protocol, most commonly employed on 
a network device that's booting up. Unless you're just recovering from 
some sort of outage, it's not a bad way to find it.

We actually have a firewall that will e-mail us when it sees TFTP; we 
can then double-check the source. Hope this helps.

> Date: Fri, 30 Nov 2001 18:14:18 -0600
> Subject: [Ethereal-users] Detecting Nimda using Ethereal
>
> I apologize if this question has been asked before.
>
> I consider myself a *very* casual Ethereal user, but am wondering if a
> packet from the Nimda virus has a particular signature and if the source of
> a Nimda attack/scan can be detected via packet capture.
>
> Tom Kustner
>
> Any opinions are strictly my own and not necessarily those of Wells Fargo. 
>
>
>
> --__--__--
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
> End of Ethereal-users Digest