Vulnerability Alert: Critical Windows Update (MS04-011) (05/04/04)
Since early last week, several hundred Windows computer systems on campus have been affected by current Internet worm activity. To protect your computer, please take two steps:*
- Make sure your Symantec AntiVirus is updated with current definitions. Start Symantec AntiVirus and choose Live Update. Or download the file via Symantec at: http://www.symantec.com/avcenter/download.html
- On any computer running Microsoft Windows, make sure the most recent security update is installed. To check for and retrieve current patches, select "Windows Update" from the Start menu or go directly to: http://windowsupdate.microsoft.com/
With the hostility of the contemporary Internet environment, keeping your system software up-to-date is crucial.
* If you are on a departmental network, please check with your local technical support personnel for guidance on keeping your system current and secure.Details
The most recent worms aren't disguised as e-mail attachments, but instead spread directly from computer to computer. Computers running Microsoft Windows that haven't been updated for the vulnerabilities announced in mid-April are at very high risk -- approaching certainty -- of being compromised. See Microsoft's description of the risk in Security Bulletin MS04-011, Security Update for Microsoft Windows.
Last week (end of April), Cornell and many other higher education sites were inundated by a worm, or several worm variants, that probe both for the recently announced Windows security holes and for several previously known vulnerabilities. Once the worm finds an opening, it installs itself, starts a number of processes affecting that Windows system -- including disabling antivirus software and shutting down the computer -- and looks for other systems to infect.
Now we are also seeing indications that the "Sasser" worm, which has received considerable media coverage, may have reached campus. This worm also spreads using the Windows vulnerabilities announced in April.
As is our customary practice, the IT Security Office and the Network Operations Center are isolating infected systems and contacting their owners to request that they be cleaned.
For a description of the gao/ago/poly/phatbot worm that struck last week, see
http://www.symantec.com/avcenter/venc/data/w32.gaobot.afj.html
http://www.symantec.com/avcenter/venc/data/w32.gaobot.afw.htmlSymantec provides detailed removal instructions for this and related worms. Please note that the variant typically found at Cornell has files and processes named "wmiprvs" rather than the "msiwin84" cited in the above description.
Symantec's description of the Sasser worm can be found at: http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
Note that variants of this worm are already appearing. For the most recent information about new threats, you can always check: http://securityresponse.symantec.com/
For updated information about viruses and other threats found on campus, please see:
http://www.cit.cornell.edu/helpdesk/virus/
http://www.cit.cornell.edu/computer/security/More links for technical support providers
If you need help removing a virus, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.
Last modified: June 04, 2007