Security Alert: Critical Windows Update MS05-039, New Worms on Campus
We are seeing a widespread appearance on campus of two new worms that impact computers running Microsoft Windows. These worms rely on a vulnerability for which Microsoft released an update, MS05-039, on August 9th, 2005.
** Please make sure your Windows software has been updated
Patches can be obtained through Windows Update at:
http://windowsupdate.microsoft.com/We recommend configuring Windows to check for and automatically install critical updates on a daily basis. Under Windows XP, you can set this in Automatic Updates, available under Control Panel.
If you are on a departmental network, please check with your local technical support personnel for guidance on updating your system.
You can check whether or not this MS05-039 update has already been installed by going to Add or Remove Programs, under Control Panel. Scroll down to "Windows XP - Software Updates." And then look for "Security Update for Windows XP (KB899588)," which should've been installed on or after 8/9/2005.
For more information about this vulnerability, see:
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx** Two new worms on campus
On Monday, August 15, 2005, W32.Esbot.A infected a very large number of campus systems. Computers running Windows 2000 are particularly susceptible to being attacked by this worm. And today, Tuesday the 16th, we are seeing indications that the Zotob worm has arrived here. Both of these threats take advantage of the vulnerability that is patched by the MS05-039 Windows update.
For Symantec's description of these worms, including instructions for removal, see:
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
The Symantec AntiVirus (SAV) definitions of 8/15/2005, rev. 41 can detect these threats. You can update your copy of SAV by running LiveUpdate or downloading the current definitions from:
http://www.cit.cornell.edu/software/downloads/antivirus/If you had not previously installed the MS05-039 Windows update, you definitely should scan your hard disk with the current SAV definitions to determine whether or not you were infected by one of these worms.
Symantec AntiVirus software is available to all members of the Cornell community via Bear Access, or it can be directly downloaded from the link given above. For information about using Symantec Anti-Virus, see:
http://www.cit.cornell.edu/services/nav/If you are on a departmental network, you should contact your local technical support staff before attempting to remove or install any software.
Thank you for your attention to this message. We hope it has proven useful.
Cornell Information Technologies
IT Security Office
If you need help and don't have access to local technical support personnel for assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.
You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page
Last modified: June 04, 2007