Hey mike, I had a 95 workstation that had personal web server running along with Front Page that was infected. (IIS lite) Might want to check that out. -----Original Message----- From: Peter Chin [mailto:[log in to unmask]] Sent: Thursday, November 01, 2001 3:42 PM To: [log in to unmask] Subject: Re: nimda-e worm Before you try scrubbing your server again I would recommend throughly checking your workstations. Nimda is not a server-only worm like some of it's predecessors, which took advantage of the same IIS vulnerabilities. There is a potent workstation component that spreads via email, network shares and infected web sites. If you have an infected desktop that accesses your server it could be dropping and/or modifying files on your server. here Network associates blurb on it: http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 Peter Chin Network Administrator Office of the Controller Michigan State University 146 Administration Building East Lansing, MI 48824 Ph. (517) 353-4443 Fx. (517) 353-1046