Work just phoned me up (I'm on holiday) to ask me what version of Windows they're fucking using, so they could follow the right set of instructions (as opposed to XP). Like you wouldn't notice the massive
The situation was not help, in fact turned into a shit storm by the fact that Sophos(thanks Oxford Uni for choosing the worst virus package I have ever used) quietly stopped updating the virus definitions on our server some time ago leaving all the staff and college owned machine totally unprotected
this virus is a fucking bastard and if they ever find the cunt who wrote it i`m voting for castrating by spoon followed by him being slowly devoured by hungry rats
oh just in case you hadn`t guessed i work in a large multinationals IT department who is getting hammered by this thing
"Who are you going to believe - me, or your own two eyes?" - Groucho Marx
The Welchi or Nachi worm is using the same trick as last week's disruptive MSBlast virus to travel around the net but tries to fix vulnerable machines rather than exploit them.
The Nachi worm tries to automatically apply the software patch issued by Microsoft to secure machines against the attentions of MSBlast.
If the Nachi virus finds the MSBlast worm on a PC it removes the malicious program.
This thing is still causing chaos people. Several new variants have been released including one that may spread via port 80 rather than 135 and 4444. The fact that Microsoft are withdrawing MSN Messenger apart from the latest version and being rather cagey about it suggests that it spreads that way too.
I'm also finding that somehow the bastard thing can uninstall windows updates and certain antivirus even after a machine appears to be clean.
The one that attempts to fix MSBlaster, yeah nice idea, problem is it floods networks with ICMP packets (PING`s essentially) and kicks the hell out of firewalls!
oh i`m sooo enjoying work at the moment
the joy of Patching servers
"Who are you going to believe - me, or your own two eyes?" - Groucho Marx
Builiding a firewall was one of those things we've been meaning to do for ages. Ended up doing it in an afternoon last Friday. Discovered over the weekend that the services didn't like being restarted remotely and promptly killed the network for a while. Bah, DHCP leases are over rated anyway
Sophos has received reports of thousands of instances of the Sobig-F worm (W32/Sobig-F) which can spread via email or network shares. For the worm to spread this fast, Sophos believes that the virus writer may have launched it using spamming technology. When arriving via email the worm can pose as an attached PIF or SCR file. Launching the attached file infects the computer.
"We have seen such a large influx of reports so quickly, it seems likely that the virus author gave his creation a kickstart using techniques usually employed by spammers. The result is that hundreds of thousands of copies of the Sobig-F worm are shunting around the internet, and some companies are finding their email systems are grinding to a halt," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "Many users know to be cautious about running unsolicited EXE files, but they should be equally wary about running PIF files or screensavers. All computer users should exercise caution when deciding what is safe to run on their computers."
Subject lines used are taken from a list, including "Re: That movie", "Re: Wicked screensaver", "Re: Approved" and "Your details". Like other variants of Sobig, the worm is programmed to stop working on a particular date; in this case, 10 September, 2003.
"Putting a 'dead-date' on his viruses suggests that the Sobig author is effectively test-driving his creations to see which tricks work best from the technical and psychological point of view," continued Cluley. "Releasing Sobig variants on different days of the week, and using slightly different subject lines and filenames, suggests that the worm's author may be trying to find the 'perfect' conditions under which his viruses can spread most quickly."
It's the fact that the variant spoofs e-mail addresses that's getting to us; only a few machines are infected over the network, but almost everyone's receiving mails back from mailer daemons saying they've passed on a virus, even though they never received it originally. Which is nice for support staff.
On Friday Microsoft changed its DNS so that requests for www.microsoft.com no longer resolve to machines on Microsoft’s own network, but instead are handled by the Akamai caching system, which runs Linux.
Hehe. It's all got to be worth it just for that.
The side effect is that some Passport-related URLs now pop up a Security Alert saying "The name on the security certificate is invalid or does not
match the name of the site".
According to managed services firm MessageLabs, the ratio of viruses to email has reached one in 28 - the same level reached at the height of the Love Bug epidemic.
MessageLabs technicians report that it has blocked over one million contaminated emails since the start of the Sobig-F epidemic. If anything the worm is growing in prevalence as time goes on, they report.