July 18th, 2002, 10:50 PM
Connection between Nimda & Port 1027
I need some help. I have been notified that Nimda .gen@MM & Nimda.eml has affected a couple of Win2K & NT 4(sp6) machines that are used for web development. The machines were cleaned with McAfee Netshield and files cleaned or deleted, at which point the issue was closed.
Curious as to whether the virus was removed or simply the infected files cleaned, I did a port scan on a couple of machines. All machines which had been infected now have port 1027 ICQ? open whereas uninfected machines don't. I have done a search on Google, looked through Symantec & McAfee documentation and don't see a connection between the issues.
Port 1027 is unassigned, but sometimes is dynamically selected for printing on a Win2K server (http://support.microsoft.com/default...en-us;Q179156&). But since these particular servers are back-up/development servers and no one is printing from them, it cannot be the case. Which leaves the alternative of a trojan, which would not be a surprise at this point.
Is it possible that there is a connection between the virus and open port or is it two unrelated issues?
Any advice would be appreciated!
BTW: All servers running IIS have MS02-018 - *** IIS Patch Applied