| |
|
Background |
| |
There are currently two types of computer viruses causing
concern in local schools - those spreading via e-mail attachments,
and those spreading by ICMP (ping).
The MyDoom virus, for example,
is spread by an e-mail attachment. You have to open the attachment
for your computer to be infected.
DON'T open
any attachments from anyone - even people
you know - if the attachment has the extensions .bat, .com,
.cmd, .exe, .pif, .scr, or .zip.
Other viruses, such
as Welchia and Sasser, are known as worms, and have been designed
to exploit
"security holes" in Windows NT, Windows 2000 & Windows
XP software.
These worms spread by
scanning computer networks
to discover other computers on the network.
These worms then enter
the other computers they discover, without the need for any
user assistance. Once arrived at a new host the worm then begins
scanning the network again, looking for other computers.
In the case of the Welchia worm, this incessant scanning ("pinging") of the
network causes a clogging of the network, resulting in very
slow network access, to the point where the network ceases
to be able to be used.
The notes below explain the process for the removal of these
worms, and the patching of computers to prevent further infections.
|
| Procedures
- What to do! |
| |
Worms
enter your computer through unprotected "ports" in
Windows software.
As these
unprotected "security holes" are discovered and
exploited, Microsoft releases software updates which "patch" your
Windows software, blocking these unprotected ports to
further infections.
To effectively deal
with the Blaster, Welchia and Sasser viruses, you will
need to disconnect your computers from the network, patch
the software on your computers to prevent further infections,
then remove any worms which have infected your computers,
as described in the following steps:
- Identify computers
which may be infected, or vulnerable to infection - ie
all Win NT, 2000, or XP computers, both desktops and servers.
These particular worms do not affect Win 95/98/Me or Macintosh
computers.
- Disconnect any vulnerable
computers from the network.
- Obtain a copy of
both the software "patch", and the virus removal
software ("fix") for your particular operating
system.
You will need to obtain this software on CD from the DET
or the Area Office, or by downloading from the links
below using a Windows 98 or Macintosh computer, then copying
the software to removable media, such as a floppy disk,
CD or USB pen drive, for distribution to infected and vulnerable
Win 2000/XP computers.
You should also obtain the latest copy of Symantec Anti Virus
(SAV) software.
- In the case of Blaster
and Sasser, you will
need to disable the process which keeps shutting down the
computer!
Press Ctrl-Alt-Delete, choose Task
Manager or Task List and click on the Processes tab.
For Sasser, look for avserve.exe, avserve2.exe or
skynetave.exe.
For Blaster, look for msblast.exe.
Highlight and click End Task. Click
yes to terminate the process.
- Install the software
"patch". This will prevent further infections.
- Run the virus cleaner,
sometimes referred to as the "fix" software.
- Reconnect the computer
to the network.
- Install Symantec
AntiVirus software, and run Live Update for the latest
virus definitions.
- The
"patch" software referred to above is generally
an update of the MS Windows operating system.
You should
also consider installing, or connecting to, a Software
Update Services (SUS) server to enable these patches
to be applied automatically.
|
| Downloads
and Links |
| |
Latest AntiVirus Info:
Symantec
Anti-Virus site
DET AntiVirus
site
| Patches
and Cleaners |
|
Useful
Links & Tools |
- Sasser
- Read
Stu's Sasser Info
Stu Hasic sums up the issues and procedures very
neatly at the St George site.
Sasser
Patch- (May
2004)
Disconnect your computers from the network, then run the appropriate patch
below:
Download:
KB835732 patch for
Win XP
(2.5Mb - exe)
KB835732 patch for
W2K
(6.8Mb - exe)
- Sasser
Fix
- (May
2004)
Run the Sasser patch, then run this "fix":
Download:
Fix for Win XP and W2K
(152k - exe)
-
- Welchia
Fix
- (February
2004)
Run the Welchia B & C patches, then run this "fix":
Download:
Fix for Win
XP and W2K
(360k - exe)
- Welchia
C Security Patch
- (February
2004)
Disconnect your computers from the network, then run the
appropriate patch below:
Download:
KB828035
patch for Win XP
(360k - exe)
KB828035
patch for W2K
(332k - exe)
- Welchia
B Security Patch
- (Wednesday
18th February 2004)
Disconnect your computers from the network, then run the
appropriate patch below:
Download:
Q815021
patch for Win XP
(530k - exe)
Q815021
patch for W2K
(410k - exe)
KB
824146 Security Patch- (Thursday
11th September 2003)
While no worms or other viruses have yet taken advantage
of this new security hole, it is essential
to apply this patch to all Windows NT/2000/XP workstations
and servers to prevent infection in the future.
Download:
KB824146
patch for Win XP
(690k - exe)
KB
824146 patch for W2K
(1.4Mb - exe)
Welchia A Worm- (Monday
25th August 2003)
Not necessarily
apparent if you have this worm on your computer. You will
need to run the cleaner to identify if the computer is
infected.
Follow the steps above to eradicate.
Download:
Welchia
patch for Win XP
(176k - exe)
Welchia fix for Win XP
(530k - exe)
Welchia
patch for W2K
(176k - exe)
Welchia fix for W2K
(410k - exe)
Blaster Worm- (Tuesday
12th August 2003)
You'll know
if you have this worm because your computer will keep
on shutting down! You will need to de-activate the blaster
before you can patch the computers. Stu Hasic's info explains
how to do this.
Read
Stu's Blaster Info
Download:
Blaster
Patch for XP
(168k - exe)
Blaster Fix for XP
(1.2Mb - exe)
Blaster Patch for W2K
(168k - exe)
Blaster Fix for W2K
(900k - exe)
Blaster
& Welchia A Packages- Download the Blaster
and Welchia worm patches and removal tools, and the 824146
patch in one zip file:
XP-Blaster/Welchia/824146
(3.4Mb - zip)
W2K -Blaster/Welchia/824146 (2.2Mb - zip)
-
|
|
- Stu's
Virus Info
- Stuart Hasic
keeps up-to-date Windows virus info at the St George
SEA site.
GPTech
Update info- Discusses the
procedures for removing viruses, setting up SUS,
etc.
DET
Antivirus Site- Download the
latest Symantec Antivirus software and MS patches.
McAfee Stinger - A utility which
will detect and remove a wide range of viruses and
worms.
Retina Scan - Find Unpatched Computers- Prevent further
Welchia and Blaster worm infections on your Windows NT/2000/XP
computers - use Retina DCOM Scanner to identify computers
on your school's LAN which remain "unpatched".
DCOMbobulator - The recent spate
of worms exploited Windows DCOM facility. This small (28k)
utility
checks whether or not the DCOM worm patches you applied
were successful, and provides the option to disable DCOM
altogether. Some interesting background reading too!
Microsoft
Support- Latest tech info
relating to patches, etc.
Symantec
AV Centre- Latest removal
tools and international virus alerts.
Sasser
Guy Arrested!- German police
have arrested a teenage suspect in relation to the
w32.Sasser worm.
Blaster
Guy Arrested!- Police have arrested
a teenage suspect in relation to the w32.Blaster worm.
Jeff's Auto-install Info
(Word doc)- Jeff Stubbs
explains how to setup up an auto install for virus
patches and removal tools, from a Win 2000 server.
-
|
 |
|
|
|
|
|
|
Sasser - XP