#175657 - 18/08/2003 11:32
Viral Hell
|
carpal tunnel
Registered: 15/08/2000
Posts: 4859
Loc: New Jersey, USA
|
Greetings!
Is anyone else in viral hell at the moment? Pretty tame from NAI's perspective, but it is causing havoc in the office. (Not a small task, or small network.)
_________________________
Paul Grzelak 200GB with 48MB RAM, Illuminated Buttons and Digital Outputs
|
Top
|
|
|
|
#175658 - 18/08/2003 12:02
Re: Viral Hell
[Re: pgrzelak]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
Wait, it's payload is WHAT?! It tries to patch your machine to protect it from getting the same virus again?!?! That just seems bizaare.
|
Top
|
|
|
|
#175659 - 18/08/2003 12:04
Re: Viral Hell
[Re: pgrzelak]
|
pooh-bah
Registered: 15/01/2002
Posts: 1866
Loc: Austin
|
if it takes care of itself, whats the big deal?
|
Top
|
|
|
|
#175660 - 18/08/2003 12:11
Re: Viral Hell
[Re: RobotCaleb]
|
old hand
Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK
|
if it takes care of itself, whats the big deal?
The side effects:
As for the W32/Lovsan.worm, some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied.
Basically, the exploit might fail, leaving the patch unapplied and the system screwed.
Gareth
|
Top
|
|
|
|
#175661 - 18/08/2003 12:12
Re: Viral Hell
[Re: g_attrill]
|
pooh-bah
Registered: 15/01/2002
Posts: 1866
Loc: Austin
|
yeah, thats a byproduct of installing windows. no big deal, were all used to it
:P
|
Top
|
|
|
|
#175662 - 18/08/2003 12:22
Re: Viral Hell
[Re: RobotCaleb]
|
carpal tunnel
Registered: 15/08/2000
Posts: 4859
Loc: New Jersey, USA
|
The results are far worse, as the machine starts spamming your intranet with malformed ICMP packets and tests on port 135... Trust me, it can slow things down immensely...
_________________________
Paul Grzelak 200GB with 48MB RAM, Illuminated Buttons and Digital Outputs
|
Top
|
|
|
|
#175663 - 18/08/2003 12:28
Re: Viral Hell
[Re: pgrzelak]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
Don't get me wrong. I can surely see how it could be an issue, but what a bizaare payload. Not exactly deleting all your system files.
|
Top
|
|
|
|
#175664 - 18/08/2003 13:10
Re: Viral Hell
[Re: pgrzelak]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
From a part time university sys admin who got stuck dealing with blaster last week while everyone was away at training, I'm really wishing this had hit a few days earlier. I havn't actually seen any infections of the new one yet, but move in day is tomorrow so we're going to have a whole load of unpatched systems coming online.
Matthew
|
Top
|
|
|
|
#175666 - 18/08/2003 16:28
Re: Viral Hell
[Re: pgrzelak]
|
pooh-bah
Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
|
I'm so glad that I am still running Win98SE
_________________________
Laura
MKI #017/90
whatever
|
Top
|
|
|
|
#175667 - 19/08/2003 00:43
Re: Viral Hell
[Re: Laura]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
I'm so glad that I am still running Win98SE
I'm so glad that I installed the patch for that problem when it came out, rather than waiting until the worm happened .
I'm also glad that I'm behind a firewall, so most of this sh*t doesn't get to me anyway.
_________________________
-- roger
|
Top
|
|
|
|
#175668 - 19/08/2003 04:17
Re: Viral Hell
[Re: Roger]
|
carpal tunnel
Registered: 15/08/2000
Posts: 4859
Loc: New Jersey, USA
|
<cough>
Trust me. We installed the patch. We are behind a firewall. Unfortunately, it only takes a few clueless individuals (and in a huge corporation, there are plenty) to get infected badly enough to bring down a rather large and complex network.
Just like driving in traffic - no matter how careful you are, it only takes one person to cause an accident that (at best) leaves you stranded for hours.
_________________________
Paul Grzelak 200GB with 48MB RAM, Illuminated Buttons and Digital Outputs
|
Top
|
|
|
|
#175669 - 19/08/2003 05:11
Re: Viral Hell
[Re: pgrzelak]
|
veteran
Registered: 21/03/2002
Posts: 1424
Loc: MA but Irish born
|
Yup! And we've got plenty of them here.
|
Top
|
|
|
|
#175670 - 19/08/2003 05:54
Re: Viral Hell
[Re: pgrzelak]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
So true, Paul. We only have 17 people in our office, and half of them have no clue what that little globe is that keeps giving them little messages. We keep telling them and they keep forgetting. I think the problem is the inevitable restarting of their machines, which is just too much of an inconvenience.
My girlfriend's father got the MSblaster worm, and it gave me a reason to play high speed internet advocate for the rest of his family. I told him that I would have run Update on his machine already, but since he's never done it since he got his computer, he had about 45MB of stuff to download over dialup. It was a good argument for a cable modem
_________________________
Matt
|
Top
|
|
|
|
#175671 - 19/08/2003 06:22
Re: Viral Hell
[Re: Dignan]
|
carpal tunnel
Registered: 15/08/2000
Posts: 4859
Loc: New Jersey, USA
|
Broadband is a big help when dealing with the patches an autoupgrades! You might want to also consider a Terminal Services, VNC or PC Anywhere if you have to do a lot "remote management" of his machine...
_________________________
Paul Grzelak 200GB with 48MB RAM, Illuminated Buttons and Digital Outputs
|
Top
|
|
|
|
#175672 - 19/08/2003 07:03
Re: Viral Hell
[Re: Dignan]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
It was a good argument for a cable modem
I used a similar argument to persuade my girlfriend to get DSL.
Well, to be strictly accurate, she let me get DSL at her flat. I pay for it, but she uses it.
Now she just needs a computer that can keep up with it.
_________________________
-- roger
|
Top
|
|
|
|
#175673 - 19/08/2003 07:16
Re: Viral Hell
[Re: Roger]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Now she just needs a computer that can keep up with it. That was another method I used. Her father's PC was painfully slow, and I had the thought that if I could speed it up, he'd start getting used to high-speed computing, and grow intollerant of low-speed internet. Turns out Dell sold him a WinXP machine with 128MB of RAM (not sure why). I slapped 512 in there and now dialup is painfully slow in comparison
_________________________
Matt
|
Top
|
|
|
|
#175674 - 19/08/2003 07:31
Re: Viral Hell
[Re: Roger]
|
veteran
Registered: 21/01/2002
Posts: 1380
Loc: Erie, CO
|
I've been pretty careful about being behind a firewall and not allowing access to ANY ports, but one thing bit me in the butt when this happened. I neglected to realize that when I VPN'd into my company's network, I am no longer behind my firewall. I'm within their firewall, but you get one guy who has his laptop at home on his cable modem, brings it into work the next day, BAM.
Sucks.
|
Top
|
|
|
|
#175675 - 19/08/2003 07:51
Re: Viral Hell
[Re: Dignan]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
That's nothing. I know somebody who has a 2mbit cable connection that for some reason known only to him is connected to a 486DX33. He saw the adverts about how Blueyonder would make your internet a much better experience etc... and decided to get it. It's only got a 200MB hard disk as well to make it worse.
I really do wonder what he uses it for. It can't be for downloading huge files since he's only got a 200MB disk and he can't be playing online games.
|
Top
|
|
|
|
#175676 - 19/08/2003 11:51
Re: Viral Hell
[Re: tman]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
porn.
_________________________
~ John
|
Top
|
|
|
|
#175677 - 19/08/2003 11:56
Re: Viral Hell
[Re: JBjorgen]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Hmm... 8bpp porn? Look at that dithering
|
Top
|
|
|
|
#175678 - 19/08/2003 11:58
Re: Viral Hell
[Re: tman]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Nah. ASCII porn.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#175679 - 19/08/2003 12:01
Re: Viral Hell
[Re: cushman]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
Yeah, firewalls are completely ineffective at preventing the spread of email-based virii. Virus scanners, vigilence and avoiding M$ email clients appears to be the best prevention.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#175680 - 19/08/2003 12:04
Re: Viral Hell
[Re: genixia]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
Speaking of Virii, is anybody else getting hit by
Sobig? It looks like all my friends got infected this morning.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#175681 - 19/08/2003 12:28
Re: Viral Hell
[Re: genixia]
|
old hand
Registered: 20/07/1999
Posts: 1102
Loc: UK
|
Yes, I've had a dozen copies in the last two or three hours. Who here has an address book with the following addresses in it:
tuners@rtr.ca
rvoisey@sonicblue.com
willrichpi@aol.com
pca@pcats.co.uk
info@avir.sk
It would seem to be someone connected with the empeg bbs or empeg itself. They all seem to have come from a machine running outlook express 6.00.2600.0000, and have the line "X-MailScanner: Found to be clean" in them, which is amusing.
pca
_________________________
Experience is what you get just after it would have helped...
|
Top
|
|
|
|
#175683 - 19/08/2003 13:23
Re: Viral Hell
[Re: tfabris]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Isn't that going to be your (collective) flat pretty soon anyway?
Yeah. So it's a good thing that the DSL is already there .
_________________________
-- roger
|
Top
|
|
|
|
#175684 - 19/08/2003 18:19
Re: Viral Hell
[Re: pca]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
My inbox collected 24,000 virus warning messages from our company this afternoon. Starting at 11:27. Good thing our email virus scanner was up to the minute. I personally recieved 148 of the messages. Outnumbered my real email 10-1.
|
Top
|
|
|
|
#175685 - 19/08/2003 20:03
Re: Viral Hell
[Re: pca]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
yeah, major avalanche of junkmail all of a sudden today -- like the power finally got back on to 100% in NYC or something.
There are only 16 people that have *ever* sent email to tuners@rtr.ca.. I wonder which of the 17 is flubbed ?
Cheers
|
Top
|
|
|
|
#175686 - 19/08/2003 21:14
Re: Viral Hell
[Re: pgrzelak]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
Today was the day I finally updated sendmail to use MIMEdefang, updated MIMEdefang to add some useful SpamAssassin headers, updated sieve to filter on those headers, and installed a virus checker on my mail server. And I don't even have Windows, it was just annoying me.
|
Top
|
|
|
|
#175687 - 19/08/2003 21:18
Re: Viral Hell
[Re: tman]
|
carpal tunnel
Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
|
He wants to read his mail really fast, of course.
|
Top
|
|
|
|
#175688 - 19/08/2003 21:23
Re: Viral Hell
[Re: mlord]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
Apparently the virus uses a spammer trick to send out hundreds of emails at once, making things spread faster.
|
Top
|
|
|
|
#175689 - 20/08/2003 06:27
Re: Viral Hell
[Re: pgrzelak]
|
old hand
Registered: 28/01/2002
Posts: 970
Loc: Manassas VA
|
Trust me. We installed the patch. We are behind a firewall. Unfortunately, it only takes a few clueless individuals (and in a huge corporation, there are plenty) to get infected badly enough to bring down a rather large and complex network.
I hear ya, we've been spending the last 3 days fixing up a group of 20 peoples computers... you know the kind of user that swears they need admin rights on their machine, make a big office stink so your forced to give it to them, only to find 3 months later that they like to disable virus scan becuase they claim it makes their computers run slow.... so each and every one of the stupid bastards had "lovegate", "lovesan" and some new variant called "Nachi".... So their office products simply didn't work which was probably a good thing, being that this made it hard for some of the other viruses to send out mail and stuff....
_________________________
Brett
60Gb MK2a with Led's
|
Top
|
|
|
|
#175690 - 20/08/2003 11:17
Re: Viral Hell
[Re: lopan]
|
enthusiast
Registered: 01/11/2001
Posts: 354
Loc: Maryland
|
Good to see other people are having as much fun as I am with this one. The last week has been miserable.
I thought our firewall finally died. I logged onto our router (which was working OK) and the prompts displayed slowly - very odd. I sniffed the network and logged about 17000 pings in less than 3 seconds. And we can't have more than 70 hosts on the network. Had to patch each one. Probably some boob plugged in their infected laptop - which I sent multiple messages out advising against this last week.
I tried writing a script that applies the fixes then removes the worm - but apparently vbscript isn't case sensitive when telling a computer to terminate the svchost.exe process. The worm's svchost appears as SVCHOST.EXE while the legit svchost.exe is all lower case.
As a side effect - because the firewall was swamped - email slowed to about nothing yesterday - possibly preventing the spread of the new sobig worm. Either way, sobig's payload (.scr, .pif, etc) are blocked and tossed in the bit bucket at the firewall.
Then - while patching workstations - a transformer blew up outside our office - all the server upses screamed but the power never did go out. I was crossing my fingers that it would go out.
It has been an interesting week!
_________________________
BleachLPB
-------------
NewFace MK2a
|
Top
|
|
|
|
#175691 - 20/08/2003 18:51
Re: Viral Hell
[Re: BleachLPB]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
It's days like this that make people understand that admins are worth the money. I mean, given that if we do our jobs correctly, things don't go wrong, It's nice when the world is going crazy except for your litle island and you can point this out to your boss.
Does that make sense?
|
Top
|
|
|
|
#175692 - 20/08/2003 19:04
Re: Viral Hell
[Re: lectric]
|
enthusiast
Registered: 01/11/2001
Posts: 354
Loc: Maryland
|
Try telling that to MY boss.
_________________________
BleachLPB
-------------
NewFace MK2a
|
Top
|
|
|
|
#175693 - 21/08/2003 06:14
Re: Viral Hell
[Re: BleachLPB]
|
addict
Registered: 24/08/1999
Posts: 564
Loc: TX
|
We are evaluating ZoneAlarm Integrity right now.
Centrally managed "endpoint" (AKA user/computer) firewall. Just like regular Zonealarm at home, just centrally managed with enforced policies, AV definition checking, web based jakarta/tomcat management interface etc etc.
Very cool product.
We also use Symantec AntiVirus Corporate edition to centrally manage the desktop AV and set policies etc.
Its things like that which save our asses every day, even more so now.
Actually, my vote for the best value security product is Guinevere.
Its an email AV gateway and costs <500 bucks, that really has saved our ass since Sunday evening when sobig hit. It only works on Groupwise, but at least to date there are ZERO viruses written for groupwise
_________________________
==========================
the chewtoy for the dog of Life
|
Top
|
|
|
|
#175694 - 21/08/2003 06:35
Re: Viral Hell
[Re: ashmoore]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
I (mostly) love Groupwise.
But do you have trouble with users who access Groupwise with Outlook? I constantly have to beat them up...
Also, if you're using Web Access, I think viruses bypass Guinevere, and can knock around in the POs.
-jk
|
Top
|
|
|
|
#175695 - 21/08/2003 13:42
Re: Viral Hell
[Re: pca]
|
journeyman
Registered: 10/02/2003
Posts: 78
Loc: St. Louis, MO
|
I happened to get a few messages returned from AOL that claimed that I was sending them out. The text file that was attached had the actual infected username at the top, then my address in the from: line. That was a quick way to pinpoint it.
The first actual virus e-mail I got came from someone in Lebanon. mts@lebanon-online.com.lb, or something like that. Don't know of anyone there, or anyone who would.
And this has probably been brought up before, but the infected might not have you in their address book. The address that has been receiving all these virii and fake messages, is my work address. No one has it in their contact list but my sister, who wasn't infected, so it apparently came off of a forwarded message that she had sent to the infected user with my address in it. Tricky.
|
Top
|
|
|
|
#175696 - 21/08/2003 13:45
Re: Viral Hell
[Re: MinerTwoFour]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Yeah, this latest batch of viruses scans your hard disk for anything remotely resembling an email address. So things like pages in your IE cache or document files could be fodder. Ick.
|
Top
|
|
|
|
#175697 - 21/08/2003 17:25
Re: Viral Hell
[Re: jmwking]
|
addict
Registered: 24/08/1999
Posts: 564
Loc: TX
|
yeah, the problem is that webaccess in groupwise is pretty darn good as well.
I will stop worrying when we get Integrity rolled out, you can stop people accessing your network if they don't meet base criteria such as virus defs etc. Way cool.
_________________________
==========================
the chewtoy for the dog of Life
|
Top
|
|
|
|
#175698 - 21/08/2003 17:25
Re: Viral Hell
[Re: jmwking]
|
addict
Registered: 24/08/1999
Posts: 564
Loc: TX
|
yeah, the problem is that webaccess in groupwise is pretty darn good as well.
I will stop worrying when we get Integrity rolled out, you can stop people accessing your network if they don't meet base criteria such as virus defs etc. Way cool.
_________________________
==========================
the chewtoy for the dog of Life
|
Top
|
|
|
|
#175699 - 25/08/2003 07:31
Stoopid CNN comments.
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
So CNN were discussing Sobig this morning. Apparantly their regular geek chose this week to go on vacation, so they had a stand in 'expert' talking with the anchor. Although at first she appeared to know what she was talking about, I soon suspected that she was little more than a pretty face with a good ability to act a role.
This was confirmed by her answer to the anchor's last question, "How do you avoid being hit?" ;
"Only open email with "From:" addresses that you know. If you didn't open email from strangers then Sobig wouldn't have affected you." (paraphrased).
Aaargh. I can accept that comments such as these may come from small local outfits with few resources, but from CNN? No wonder half the population remains clueless about email virii.
Let's review;
1) Most virii send copies of themselves to contacts in your address book. Many of whom are likely to be friends and family who know you.
2) In Sobig's case, it apparantly used one of the contacts email addresses to spoof the 'From' header. Although that means that many copies of the virii would appear to come from strangers, some copies will also appear to come from mutual friends, so her statement is still wrong.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
|
|