When you find out what it is, please send it to all of us. Thanks -----Original Message----- From: Gerard M Hoxsey To: [log in to unmask] Sent: 11/1/01 3:11 PM Subject: nimda-e worm Very frustrating. bard.cal.msu.edu is my box. It was hit by nimda in september. It was formatted and reloaded from a sept 8 backup, fully patched according to microsoft downloads and yet it has been exploited again. I am obviously missing something but I don't know what. I had noticed unusual activity and had the box off the wire before Gene's email went out. I was probed by 210.178.12.111 and 35.8.195.55 but my log shows 404's so I don't know how the heck they got in. Any help in buttoning this up would be much appreciated. Michael Hoxsey Network Admin Arts and Letters