GEN:SID 1:1289
Message TFTP GET Admin.dll
Summary This event is generated when an exploited Internet Information Server (IIS) host attempts to perform a tftp download of the file admin.dll to infect the host with the nimda worm.
Impact Administrator access.  A successful attack can allow remote execution of commands with administrator privleges.
Detailed Information The nimda worm uses multiple propagation methods.  One method exploits a victim Internet Information Server (IIS) using a unicode directory traversal attack to execute commands on the target server.  An attempt is made to execute a tftp download of the file admin.dll from the infected attacking host to the victim server.  The admin.dll file is a copy of the nimda worm that is activated on the newly infected victim server.  This event is triggered if the IIS server is exploitable and the tftp transfer is attempted.
Affected Systems Hosts running Microsoft IIS 4.0 and 5.0.
Attack Scenarios The worm will attempt to remotely exploit a unicode directory vulnerability to infect an IIS server by executing a tftp download of the nimda worm.
Ease of Attack Simple.  
Corrective Action Apply the appropriate patch referenced in Microsoft Security Bulletin MS00-078.
Additional References CERT:
http://www.cert.org/advisories/CA-2001-26.html

Microsoft:
http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp
Rule References url: www.cert.org/advisories/CA-2001-26.html