Virus

Sobig Virus

What a morning….so far I’ve had 116 notifications that we’ve received the sobig virus into our mail servers. These are running NAV and delete the attachment and were previously configured to send an email (for historical purposes of the quantity of virus’s) and a Windows Net Send Message to my desktop to notify me of the problem. However, with the amount of notifications and also notifications when the manual scan failed to open certain attachments in emails, I was unable to work as I had to keep clicking ok. Therefore I had to turn the notifications off – must remember to turn them back on again.
There would be major resistance in the company to blocking attachments at the mail server so unfortunately that option is a nogo.
At the same time I’ve had to arrange scans on three remote pc’s that managed to get the Blaster or Welchia worms on their machines as they got infected between us updating at 4am with no patch updates, and the 11.30 manual update we initiated!
One of the laptops (from a remote site) has no firewall, runs w2k and no service packs or fixes. I’ve spent the last couple of hours installing sp4,rebooting and installing all the various hotfixes, ie6 and the multiple reboots needed to do them all. WHAT A MORNING!

New virus – sobig

Thanks toSOBig was very fast spreading and by 12pm we had at least 8 copies in our mailboxes and our antivirus software was updated at 4am in the morning and nothing was found when the emails came through. Thankfully (that I am aware of) the users didn’t open the emails – I guess I’ll find out when I am in the office tomorrow.

Symantec CE server password

I’ve also had symantec’s console have its password changed in the past and Kevin’s details the changes. All you do is change HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ConsolePassword to 1084A085DC6BD2D755D4D6A7726 and then use the password symantec
(I’ve repeated it here so I have a local archive in case Kev’s page ever disappears.)

New Worm does the rounds.

From the email that I received from eeye:-
A worm began spreading on the Internet early Monday morning that exploits a recent vulnerability in Microsoft Operating Systems. The worm, dubbed Blaster, takes advantage of a known vulnerability in Microsoft RPC DCOM that affects all current versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
The worm begins by targeting Microsoft systems that have not been properly patched for the known RPC DCOM vulnerability. Once the worm detects an unpatched system, it will attempt to download and run a file called msblast.exe. If successful in infecting a system, the worm will propagate itself, modify Windows registry settings, and initiate a SYN flood denial-of-service attack on windowsupdate.com.
The worm payload does not contain any additional malicious content; however, because of the nature of the worm and the speed at which it attempts to impact systems, it can potentially create a denial-of-service attack against windowsupdate.com.
For further information and a technical description of the Blaster worm please visit:
eeye. They also have a free tool you can download (reg required) to see which machines are vulnerable…but then again you should have done that a long time ago, especially with running Windows Update! Their full suite of programs will also tell you if you are unlucky to have it running around your network.

Got my first spam from

Got my first spam from signing up on a guestbook – Hey Kelly – afraid yours is the guilty party 🙁 They were offering me the klez removal tool – which was probably the virus itself! After all if you have klez on your computer then you don’t have an av tool, so how are you going to know that the unsolicited attachment is not klez itself! On other anti-virus software news, I am going to remove mcaffee from this computer as it really is pants. When this machine got infected (twice) with Magistr it was unable to repair the files and they had to be deleted – and they were a few windows files! I updated the software by hand (as there is no automatic update facility) and it found yet another virus on the computer – downloader-aw trojan. However, when you look on their website to get more information on this virus – it is not listed! The nearest that I could find is that it was created using a virus toolkit. If that is the case, then how come the software didn’t pick it up – the toolkit has probably been around for yonks! Norton’s AV is going on real soon!
Update Instructions on removing downloader-w trojan are on mcafee’s site (note name difference!)