We've got WORMS!!!

[greenfreak]

Give me your worm stories... I'm still struggling with them. It's insane how these things propogate. I had two pc's on my bench that I had just finished installing 2000 on, nothing else, and they were both infected. Just because they had a network cable plugged in.

I spent last Thursday at one of our biggest branches, eradicating the worms and patching the pc's. We had four of us doing it and it took most of the day.

Now I have to hit the rest of our 40 sites, email them the info, get on their asses about doing this. Why can't people just do what you tell them, no questions asked?

On top of all this, I have pc's that were damaged from the power outage, stock from laid-off employees coming back, people requesting upgrades from that stock and all my support calls.

Work sucks lately. If I was salaried, I'd be right now.

 

[Neo]

i hear ya greenie about the salaried part. It sux.
we didnt get hit by the worm at our branch. Gotta love me for that. I am a stickler about the updates and fixes. Our main branch took a couple hits but nothing major.
now all the "friends" thats a different story, im still getting calls"how did i get this, and what do you need to do to fix my machine"
HEHE i love those. Its like its my fault it happened to their comp.

 

[Mirlyn]

Everywhere I've worked has had a firewall with default-deny rules. This helps keep outside worms from getting in. The problem we have is people bringing a laptop from home and plugging it in. On campus all but a handful are "locked," meaning anything you do to the computer (save/edit files, change the wallpaper, edit registry, format the drive) is reversed on reboot. If these machines get a virus, we just restart them. But if we haven't patched them, it makes them vulnerable again. We really don't have, and haven't had, a problem with viruses there *knock on wood.*

At BBY its another story though. When the worm came out we had ten on the bench and thirty in line. After several speading infections, we had to make sure everyone was leaving the computer off the network until it was clean and patched.

My cousin goes to UNI and she said they aren't letting people turn on their personal computers in the dorms until they personally come around to check, clean, and patch them.

I think its kinda funny how people were shunning the netadmins for not updating their servers and thus playing host to the Slammer attacks months ago. Now something like this hits the residential sector and you don't hear much grief about forgetting to update.

 

[PuterTutor]

I've been mostly unaffected by the worms. Nothing at work, but at home my router was getting hit about every two minutes the other night. I noticed that most were coming from the same IP Range, so I looked it up doing a whois and found out they were from my own ISP's range of addys. So, I copied the log, and sent a nice email to my ISP letting them know I was tiring of it. They were actually quite appreciative, said they had closed it out on their own firewall, but that they knew some computers had been affected, so they were using my logfile to track them down and let them know. I asked if I could get a free month or two of Internet for being so helpful and they just laughed. They know I'll pay it regardless.

 

[Spot]

no worm problems here....

 

[Noite Escura]

In one of the companies I work we were harmed by Fortnight. Other than that, no big stories. I installed Zone Alarm at home after the Blaster epidemy...

 

[Justintime]

One pc i finished was infected 3 mins later, was connected directly to my modem at the time though, and not through my server that runs FW services.

 

[Nixy]

I wasn't hit but a couple at work where. Also, a friend of mine got hit (I had to get him the exact addy for the patch and save it on adisk as his machine woudlnt' stay on long enough for him to search for it) and another friend had a panic attack and a half when I told her about the worm and what it does, I patched her machine before she got hit

 

[Professur]

I've a customer who's still down from that. The building sysop killed their switch port when they got infected. Refused to reopen it until they'd faxed him logs of the cleaning utilities. Well, when he went to reactivate the port, he killed the entire switch. They're still waiting on it, losing money hand over fist.

 

[Justintime]

Geez good going I've had a mate blow a port on a 'planet' switch by simply taking out one patch cord and plugging in a next, seems the brand is notorious for that..

 

[greenfreak]

This is why I say floppy drives will be necessary for years to come. I put the patch on one floppy and the Stinger removal tool on another and that's how I updated about 40 machines so far. I know I could have burned a CD but for less than 3 megs, it's not worth it and takes too much time.

We still have a bunch of sites that have yet to finish all their machines. Frame relays were goin down all over the place because of the traffic being generated by the worm. When your sent packets are 5,000 and your received are 5,000,000 I'd say there's increased network traffic.

 

[Professur]

USB keydrives take 128M of patches and are recognised by stock W2k and MacOS 9.0 and up.

 

[Mirlyn]

USB keydrives take 128M of patches and are recognised by stock W2k and MacOS 9.0 and up.

They're also not read-only. At least, not with the ones I've heard of. No big deal with the blaster worms and its variants, but with others its more of an issue. I've found many computers with more than just the blaster worm on them.

My laptop was online for less than 30 seconds after a full reinstall while I had just clicked on the link to download the file and the shutdown message came up. Luckily (and ironically) I had been working on a very similar program at work (remotely rebooting every machine) the week before the virus came out so I remembered shutdown -a.

 

[greenfreak]

I have tons of pc's out there still that don't have USB ports but they all have floppies. Can you access these USB keydrives from DOS? I honestly don't know a lot about them.

 

[Mirlyn]

I have tons of pc's out there still that don't have USB ports but they all have floppies. Can you access these USB keydrives from DOS? I honestly don't know a lot about them.

Actually, I stand corrected. Twas a really slow day at work today, so I store-use('d) two of the SanDisk 128mb pen drives. Pretty nice. They have a switch on the side that allows you to lock them (making them read-only) and do not require any kind of software installation. This means you can plug it into any ME/2000/XP machine (98SE requires updated usb drivers) and you don't need admin privledges to use/install them. They pop up as a "removeable drive," much like the card readers for digital cameras do. I'll have to buy one and check it out....never tried it in dos (ran batch files off of it today though, for what its worth). I'd imagine you couldn't use them outside a windows environment though (ie, booting off a dos disk).

These 128mb ones were $40 with a $10 MIR. A 1gb one would be nice, but they're pretty pricey (~$350). FYI to anyone looking...I've heard the PNY ones have a tendency to go bad.

 

[chcr]

A little late to the party, but I brought the WAN on line on a Wednesday (no internet access at the time) and Thursday seven of twelve pc's had it. I can only assume someone brought something from home. Luckily they were not connected to the LAN (although the LAN was protected).

 

[Mirlyn]

We're still getting traffic from it. Today there were two people returning after buying their PCs last night and getting infected. I have a feeling it may be another month before manufacturers start shipping pre-patched PCs.

 

[Nixy]

WHOA! People are STILL getting it? OH MY!

I must remember to reinstall the patch when (if) I reinstall this machine like I plan to...thanks!

 

[greenfreak]

I'm still battling them too. My culprits are the people with laptops who travel around from site to site. If they don't happen to be on the site the day they're doing the patches, they're forgotten about.

Nixy, there's a new patch that takes care of the old one and a new vulnerability:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp

It's neverending!!

 

[Nixy]

Thanks gf!