How many of you were affected by the worm?

[Unclean]

http://www.cnn.com/2005/TECH/internet/08/1...worm/index.html

 

I got a call at midnight to come in and fix PC's. Right now, we've been concentrating just on comps for production, order entry, and laboratory equipment. But it's essentially shut down the company I work for -- the cost is to the tune of billions. No joke. Time to get some sleep.

 

But for the rest of you -- anyone else have to deal with this issue? How's it been for you?

[dwEEziL]

Exploit came out Friday the 12th. I patched 6 servers earlier that day. Patched 9 more servers the next day by noon. My co-worker patched another 10 or so on Monday (most were IPSec'd so not easily exploitable). Tuesday (was out sick Monday) I looked over the servers for the exploits...All clean.

 

Other departments here had their Domain Controllers compromised and have to reinstall both DCs.

[Bubblegum Bandit]

I've heard about this thing but what does it actually do? I have had problems with my computers dropping ips in my home network and a little yellow triangle with ! in the middle comes up on my little icon in the tray. Last night I just rebooted my router and comps and everything was fine until I went down and looked this morning. I was attributing it to the pos router I have needed to be replaced, could I be putting blame in the wrong place?

[appalachian_fox]

Managed to keep the win2k systems secure enough that the worm didn't get in in the first place...but I have no evidence that the worm tried to grab my systems. All are patched now, so *phew*.

[Guest zerodamage]

Easily preventable with a firewall.

 

ensure these ports are closed down:

445

33333

1117

8888

6667

[TheReverend(c)]

Didt get hit with it either thank goodness. What doofus has the time and energy to come up with this crapola?

[NOFX]

it seems like this would only happen if you dont have a router. suprisingly many people dont have a router or firewall

[Unclean]

NOFX -- perhaps at a personal level. But try telling that to our network group (comprised of about 400 employees, hundreds of routers, thousands of servers, etc).

[Primus]

Thats good info ZD Thanks, I'm gonna keep that in mind. Didn't get hit here at home but then I'm not a big company network either. Looks like the systems at work are ok.

[NOFX]

NOFX -- perhaps at a personal level.  But try telling that to our network group (comprised of about 400 employees, hundreds of routers, thousands of servers, etc). 

<{POST_SNAPBACK}>

 

oh yes.. I completely understand when you have that type of complexity it will be just a taaaaaaad bit difficult. Just off the top of my head, I would assume some of the internal routers are wide open with the main security at the pipe going out. Someone brings their wireless laptop into the inside and BAM everyone and their grandmother has it

[dwEEziL]

Easily preventable with a firewall. 

 

ensure these ports are closed down:

445

33333

1117

8888

6667

<{POST_SNAPBACK}>

 

Our forensics here show a few more ports as well. 3333 is used by zotob and the (?) signified that at the time (Tuesday), we were unsure which of the other 3-4 variants used the ports.

 

If you believe you might be infected you check some of the following areas:

 

Open a Dos box and type "netstat -an" and check for the following listening ports

Listening ports opened:

port 3333 TCP (zotob)

port 4470 TCP (?)

port 529 (?)

port 1321 (?)

port 6969 (?)

 

Go to your %SystemRoot% folder (usually C:\Windows) and look for any new .exe files. The names used differ so you should google for any you are unsure of.

 

Also, in the registry, check all the "Run" hives (Run, RunOnce, RunOnceEx) in HKLM\Software\Microsoft\Windows\CurrentVersion and HKCU\Software\Microsoft\Windows\CurrentVersion

 

Here's an early forensic report from one of my co-workers here at VT:

Braindump of the things we've seen so far as far as infected machines go:

 

The exploit appears to start by going and getting some malicious files via FTP (the config file for this is usually *.ocx).

 

It then takes these files (one probably named  msa32winocx.dll) and starts it's own FTP Server (ServU).

 

It will then use a variety of tools (nc, winfw, sc) to do it's dirty work which includes at least:

 

Installing a service (name varies I think, seen "Win Log Service" for sure) that makes the server and workstation services depend on it; making it annoying to get stopped and allowing it to spawn numerous other malicous tools.

 

If using XP/2003 it looks like it will use winfw to poke holes in the firewall for you using winfw.

 

Installs Radmin

 

Creates a new Administrator called "upback" and starts the Telnet service on a probably random port.

 

Runs pwdump and stores a copy of the passwords in the hidden recycler folder (file name passd.txt)

 

There's probably much more it does but that's the highpoints I noticed .. The last of which is probably the most important/scary.

 

If anyone notices this (particularly on a DC) I'd be interested to hear from you and we can work out a good resolution.

 

Hope this is useful ...

[General J]

I've heard about this thing but what does it actually do?

<{POST_SNAPBACK}>

 

Our systems managed to play host to the worm, and it caused chaos. The computer would stay up for about 2-3 minutes, sometimes shorter or longer, then close out services.exe (if I remember correctly) so that windows forced restart. Only took the IT guys about 4.5 hours to get everything back up and running normally.

 

When I got home, I saw that the security bulletin on MS's TechNet had been posted Sunday. It really amazed me that so many places had not patched up Monday.

[Unclean]

oh yes.. I completely understand when you have that type of complexity it will be just a taaaaaaad bit difficult.  Just off the top of my head, I would assume some of the internal routers are wide open with the main security at the pipe going out.  Someone brings their wireless laptop into the inside and BAM everyone and their grandmother has it

 

I'd love to strangle some of the people that bring in wireless devices from home and hook them up to the network. It's the security equivalent of a teller at a bank leaving the til drawer open all the time (even though the bank installed locks on the drawer). It completely defeats the purpose of having security...

[Xterminator]

yeah didnt' get hit up here. None of the companies up here that i know of got hit. Somehow it stayed below the border. Hope u guys get everythign up and running back to normal asap!

[random_n00b]

Wait... was that 3333 or 33333? because if it's the former, then I have to change my remote desktop port . It was such an easy number to remember...

[dwEEziL]

Our forensic findings say it was both 3333 and 33333.

[random_n00b]

aww. I remember I originally wanted to use port 666, but I looked up if something else important used it, and found out that every trojan written since AOL was released used that port

 

Oh well

[TheReverend(c)]

Unclean has a point. When I did on-call tech support for a banking system here in SD, my liason to the company was a secretary that had no backgroung in computers other than basic windows business software. Whenever I got a call for a virus or bug or maliciouse spyware, I was always hardpressed to explain to them the value of good antivirus and hardware/software firewalls. They were after all bankers.

[General J]

I watched as our IT guy did clean up today of the aftermath. He had a program called Stinger, which I assumed was just a removal tool. Took a few minutes to search out all the files added and changed. Once it was done, it had removed 143 items. Makes you wonder how many remain on the system, even after that.

[dwEEziL]

The thing with a worm like this is, that it infects and reports home to the hacker. You might be able to clean off all the worm, but you have no idea what else the hacker might have installed (rootkit, remote access, etc).

[TheReverend(c)]

Think Ill get a copy of Stinger and give it a go.

[Guest zerodamage]

I am surprised Stinger actually got updated. Been several months since the last one.

[Guest tackleberry]

Can't say that I was a victim. Windows 2k....sp5? 6? Thats classic status to me...i imagine tho a lot of businesses still use it.

 

Just curious ... What does the worm actually do? Just reboot servers repeatedly? Also it seems as though a lot of IT people...wondering if i could ask for help on this...i relatively new to linux and don't really kno a thing about security...i use my computer primarily for biology stuff and related programming... cs tooo of course

 

but the work on the reiserfs partitions are indeed in need of preservation...what type of precautions, antivirus, network configuration should i take?

 

Ive got by computer routered to the cablemdm....running Xorg and CUPS...any suggestions?

mooch appreciation....

[Guest tackleberry]

oh and one more thing...i fogot...but does anybody know why my systemtime INSISTS on displaying in GREeNWICH mean time?

 

The great think about nix is that there are those problems that have thorned your side for the longest but in actuality could be fixed within the confines of a single sentence line when presented to the right person. So im shooting...

 

Ive ln -sf /etc/localtime to the proper zone...date returns time in greenwich but labeled in my proper zone PDT..i reset date to actual local time but every time it goes back to that 5 hr difference on reboot....whyness?

 

 

thanks in advance.

[Unclean]

Whenever I got a call for a virus or bug or maliciouse spyware, I was always hardpressed to explain to them the value of good antivirus and hardware/software  firewalls. They were after all bankers.

<{POST_SNAPBACK}>

Analogies work wonders. For antivirus software, I'd always explain it this way:

 

New viruses come out all the time. If you don't update your software, it's only good for a little while. If you don't update your software, it's kinda like buying a car but never filling it up with gas. Sure, it'll get you somewhere, just not very far.