Update on campus worm situation (April 30, 2004)
Although some areas are coming under control, we continue to see a high incidence of the worm activity that has been present around campus this week.
Windows patches: Along with other attack vectors, these gao/ago/poly/phatbot variants will exploit the LSASS vulnerability documented by Microsoft earlier this month (MS04-011). Windows systems without the current patches are highly vulnerable.
Virus definitions: Since Wednesday, new Symantec AntiVirus definitions have supported detection of W32.Gaobot.AFJ and other variants that exploit the LSASS vulnerability, but we cannot rely on this to detect everything that's being found on campus.
Removal steps: The CIT Contact Center (HelpDesk) has developed a removal routine that has proven successful, which can be found on their Virus Information page.
Passwords: In addition to following the steps recommended by the HelpDesk, it is imperative that account passwords that might have been entered or reside on worm-infected systems be changed as soon as a compromised system is detected. Passwords, functional on that or other systems, might have already escaped. Change passwords again after you're as confident as possible that your password space has been secured. Simply cleaning a system and patching is not sufficient.
For more information, see:
- SANS Internet Storm Center confirmation of LSASS exploit
http://isc.sans.org/diary.php?date=2004-04-28- Relevant Microsoft advisory
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx- Description of W32/Gaobot.worm.ali
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006- Description of Phatbot
http://lurhq.com/phatbot.html______________________________________
Need help? Ask the CIT Contact Center (HelpDesk)
Send comments to the webmaster with our Feedback Form
Last modified: June 04, 2007