Viral Hell

Greetings!

Is anyone else in viral hell at the moment? Pretty tame from NAI's perspective, but it is causing havoc in the office. (Not a small task, or small network.)

Wait, it's payload is WHAT?! It tries to patch your machine to protect it from getting the same virus again?!?! That just seems bizaare.

if it takes care of itself, whats the big deal?

if it takes care of itself, whats the big deal?

The side effects:

As for the W32/Lovsan.worm, some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied.

Basically, the exploit might fail, leaving the patch unapplied and the system screwed.

Gareth

yeah, thats a byproduct of installing windows. no big deal, were all used to it
:P

The results are far worse, as the machine starts spamming your intranet with malformed ICMP packets and tests on port 135... Trust me, it can slow things down immensely...

Don't get me wrong. I can surely see how it could be an issue, but what a bizaare payload. Not exactly deleting all your system files.

From a part time university sys admin who got stuck dealing with blaster last week while everyone was away at training, I'm really wishing this had hit a few days earlier. I havn't actually seen any infections of the new one yet, but move in day is tomorrow so we're going to have a whole load of unpatched systems coming online.

Matthew

lol
read the first few paragraphs
http://radio.weblogs.com/0001011/

I'm so glad that I am still running Win98SE

I'm so glad that I am still running Win98SE

I'm so glad that I installed the patch for that problem when it came out, rather than waiting until the worm happened .

I'm also glad that I'm behind a firewall, so most of this sh*t doesn't get to me anyway.

<cough>

Trust me. We installed the patch. We are behind a firewall. Unfortunately, it only takes a few clueless individuals (and in a huge corporation, there are plenty) to get infected badly enough to bring down a rather large and complex network.

Just like driving in traffic - no matter how careful you are, it only takes one person to cause an accident that (at best) leaves you stranded for hours.

Yup! And we've got plenty of them here.

So true, Paul. We only have 17 people in our office, and half of them have no clue what that little globe is that keeps giving them little messages. We keep telling them and they keep forgetting. I think the problem is the inevitable restarting of their machines, which is just too much of an inconvenience.

My girlfriend's father got the MSblaster worm, and it gave me a reason to play high speed internet advocate for the rest of his family. I told him that I would have run Update on his machine already, but since he's never done it since he got his computer, he had about 45MB of stuff to download over dialup. It was a good argument for a cable modem

Broadband is a big help when dealing with the patches an autoupgrades! You might want to also consider a Terminal Services, VNC or PC Anywhere if you have to do a lot "remote management" of his machine...

It was a good argument for a cable modem

I used a similar argument to persuade my girlfriend to get DSL.

Well, to be strictly accurate, she let me get DSL at her flat. I pay for it, but she uses it.

Now she just needs a computer that can keep up with it.

Now she just needs a computer that can keep up with it.

That was another method I used. Her father's PC was painfully slow, and I had the thought that if I could speed it up, he'd start getting used to high-speed computing, and grow intollerant of low-speed internet. Turns out Dell sold him a WinXP machine with 128MB of RAM (not sure why). I slapped 512 in there and now dialup is painfully slow in comparison

I've been pretty careful about being behind a firewall and not allowing access to ANY ports, but one thing bit me in the butt when this happened. I neglected to realize that when I VPN'd into my company's network, I am no longer behind my firewall. I'm within their firewall, but you get one guy who has his laptop at home on his cable modem, brings it into work the next day, BAM.

Sucks.

That's nothing. I know somebody who has a 2mbit cable connection that for some reason known only to him is connected to a 486DX33. He saw the adverts about how Blueyonder would make your internet a much better experience etc... and decided to get it. It's only got a 200MB hard disk as well to make it worse.

I really do wonder what he uses it for. It can't be for downloading huge files since he's only got a 200MB disk and he can't be playing online games.

porn.

Hmm... 8bpp porn? Look at that dithering

Nah. ASCII porn.

Yeah, firewalls are completely ineffective at preventing the spread of email-based virii. Virus scanners, vigilence and avoiding M$ email clients appears to be the best prevention.

Speaking of Virii, is anybody else getting hit by
Sobig? It looks like all my friends got infected this morning.

Yes, I've had a dozen copies in the last two or three hours. Who here has an address book with the following addresses in it:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

It would seem to be someone connected with the empeg bbs or empeg itself. They all seem to have come from a machine running outlook express 6.00.2600.0000, and have the line "X-MailScanner: Found to be clean" in them, which is amusing.

pca

Well, to be strictly accurate, she let me get DSL at her flat.

Isn't that going to be your (collective) flat pretty soon anyway?

Isn't that going to be your (collective) flat pretty soon anyway?

Yeah. So it's a good thing that the DSL is already there .

My inbox collected 24,000 virus warning messages from our company this afternoon. Starting at 11:27. Good thing our email virus scanner was up to the minute. I personally recieved 148 of the messages. Outnumbered my real email 10-1.

yeah, major avalanche of junkmail all of a sudden today -- like the power finally got back on to 100% in NYC or something.

There are only 16 people that have *ever* sent email to [email protected].. I wonder which of the 17 is flubbed ?

Cheers

Today was the day I finally updated sendmail to use MIMEdefang, updated MIMEdefang to add some useful SpamAssassin headers, updated sieve to filter on those headers, and installed a virus checker on my mail server. And I don't even have Windows, it was just annoying me.

He wants to read his mail really fast, of course.

Apparently the virus uses a spammer trick to send out hundreds of emails at once, making things spread faster.

Trust me. We installed the patch. We are behind a firewall. Unfortunately, it only takes a few clueless individuals (and in a huge corporation, there are plenty) to get infected badly enough to bring down a rather large and complex network.

I hear ya, we've been spending the last 3 days fixing up a group of 20 peoples computers... you know the kind of user that swears they need admin rights on their machine, make a big office stink so your forced to give it to them, only to find 3 months later that they like to disable virus scan becuase they claim it makes their computers run slow.... so each and every one of the stupid bastards had "lovegate", "lovesan" and some new variant called "Nachi".... So their office products simply didn't work which was probably a good thing, being that this made it hard for some of the other viruses to send out mail and stuff....

Good to see other people are having as much fun as I am with this one. The last week has been miserable.

I thought our firewall finally died. I logged onto our router (which was working OK) and the prompts displayed slowly - very odd. I sniffed the network and logged about 17000 pings in less than 3 seconds. And we can't have more than 70 hosts on the network. Had to patch each one. Probably some boob plugged in their infected laptop - which I sent multiple messages out advising against this last week.

I tried writing a script that applies the fixes then removes the worm - but apparently vbscript isn't case sensitive when telling a computer to terminate the svchost.exe process. The worm's svchost appears as SVCHOST.EXE while the legit svchost.exe is all lower case.

As a side effect - because the firewall was swamped - email slowed to about nothing yesterday - possibly preventing the spread of the new sobig worm. Either way, sobig's payload (.scr, .pif, etc) are blocked and tossed in the bit bucket at the firewall.

Then - while patching workstations - a transformer blew up outside our office - all the server upses screamed but the power never did go out. I was crossing my fingers that it would go out.

It has been an interesting week!

It's days like this that make people understand that admins are worth the money. I mean, given that if we do our jobs correctly, things don't go wrong, It's nice when the world is going crazy except for your litle island and you can point this out to your boss.

Does that make sense?

Try telling that to MY boss.

We are evaluating ZoneAlarm Integrity right now.
Centrally managed "endpoint" (AKA user/computer) firewall. Just like regular Zonealarm at home, just centrally managed with enforced policies, AV definition checking, web based jakarta/tomcat management interface etc etc.
Very cool product.
We also use Symantec AntiVirus Corporate edition to centrally manage the desktop AV and set policies etc.
Its things like that which save our asses every day, even more so now.

Actually, my vote for the best value security product is Guinevere.
Its an email AV gateway and costs <500 bucks, that really has saved our ass since Sunday evening when sobig hit. It only works on Groupwise, but at least to date there are ZERO viruses written for groupwise

I (mostly) love Groupwise.

But do you have trouble with users who access Groupwise with Outlook? I constantly have to beat them up...

Also, if you're using Web Access, I think viruses bypass Guinevere, and can knock around in the POs.

-jk

I happened to get a few messages returned from AOL that claimed that I was sending them out. The text file that was attached had the actual infected username at the top, then my address in the from: line. That was a quick way to pinpoint it.

The first actual virus e-mail I got came from someone in Lebanon. [email protected], or something like that. Don't know of anyone there, or anyone who would.

And this has probably been brought up before, but the infected might not have you in their address book. The address that has been receiving all these virii and fake messages, is my work address. No one has it in their contact list but my sister, who wasn't infected, so it apparently came off of a forwarded message that she had sent to the infected user with my address in it. Tricky.

Yeah, this latest batch of viruses scans your hard disk for anything remotely resembling an email address. So things like pages in your IE cache or document files could be fodder. Ick.

yeah, the problem is that webaccess in groupwise is pretty darn good as well.
I will stop worrying when we get Integrity rolled out, you can stop people accessing your network if they don't meet base criteria such as virus defs etc. Way cool.

yeah, the problem is that webaccess in groupwise is pretty darn good as well.
I will stop worrying when we get Integrity rolled out, you can stop people accessing your network if they don't meet base criteria such as virus defs etc. Way cool.

So CNN were discussing Sobig this morning. Apparantly their regular geek chose this week to go on vacation, so they had a stand in 'expert' talking with the anchor. Although at first she appeared to know what she was talking about, I soon suspected that she was little more than a pretty face with a good ability to act a role.

This was confirmed by her answer to the anchor's last question, "How do you avoid being hit?" ;
"Only open email with "From:" addresses that you know. If you didn't open email from strangers then Sobig wouldn't have affected you." (paraphrased).

Aaargh. I can accept that comments such as these may come from small local outfits with few resources, but from CNN? No wonder half the population remains clueless about email virii.

Let's review;
1) Most virii send copies of themselves to contacts in your address book. Many of whom are likely to be friends and family who know you.
2) In Sobig's case, it apparantly used one of the contacts email addresses to spoof the 'From' header. Although that means that many copies of the virii would appear to come from strangers, some copies will also appear to come from mutual friends, so her statement is still wrong.