On Wed, 2003-08-13 at 19:07, Barry Murphy wrote:
When I heard about this virus yesterday morning, I was thinking...
Couldn't you forward the tftp server ip addresses to a server on your network (for a big ISP) and replace the file that the virus is trying to download with a fix to it, thus patching the user instead of effecting them?
Good try but no cigar! The worm actually get's its body from the machine that infected it, not from a fixed server. The worm got into our network (I'm guessing it came in on someone's laptop that got infected at home) and spread to a large number of machines with *no* tftp session off campus. We have long blocked tftp at the boarder. -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.