Slashdot Mirror

Symantec's Advisory. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.

For those that have just come out from their rock, here is a removal tool for this latest worm

And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?

If it's a Windows PC, I suggest using Symantec Norton Ghost. They can do whatever they like to the computer, but when it reboots, it goes back to its original condition. It's perfect for applications like these.

Apparently a new feature (mentioned by a network engineer workmate), is to have the IOS reserve a portion of memory for administrative tasks (like supporting the login process and configuration shell).

A feature like this, that "reserves" a portion of RAM so that if something really fubars your system, you can still login to fix it - would be great for Linux/BSD.

So many people want capital punishment for murderers, yet the real serious crimes are commited by corporations. You'll never see people demand that a CEO of a major corporation be executed for knowingly distributing unsafe products that resulted in the death or serious injury of many people. Now playing devil's advocate one could argue that spammers and virus writers provide jobs for many people

You know when you've been sysadminning too long when...

For a moment there I thought you were referring to W32.Beagle.B@mm.

iPod, iStereo and other stuff: I don't know, nor do I particularly care why Apple is made an iPod division :), however I liked the idea presented for an indash iDevice that an iPod could just plug into. I think it would behoove Apple to partner with/make deals with some of the larger and popular car stereo mfr's to make this a reality. I would love to see a deck for my car that I could slide an iPod into, as long as I could also use regular CD's seeing as how I don't presently have an iPod, but that would in some twisted way justify my purchasing one :)..or alternately, i could buy an iPod and if the car deck existed, I could then make a justification to purchase that...heh heh heh

Other crap you may or may not be interested in: One of the things that I am extremely sick of reading here on slashdot is the constant Mac and Windows bashing comments. Sometimes they are humorous, but more often than not they are just annoying.

Presently my work consists of repairing customers Windows machines on a daily basis (hardware and software), repairing customers Macs occasionally, assisting our System Administrator in the administration of our Linux (RH and Slackware), netBSD, and FreeBSD servers, and a myriad of any other things that may present themselves as needing to be done at my job. I am seriously a I.T. Jack of all trades there...and they pay is in my area, pretty good, but abysmal compared to my last job..*sigh*

With that said, I can say that there are a lot of things that I despise about Windows machines, the consistant need to run Spyware removal tools (Spybot S&D, Spysweeper, Ad-Aware, etc.), manually editing registry entries, and all the typical Windows things that have to be dealt with. At the same time however, My windows box at work is fine for what I mostly use it for, email and word processing. It is acceptable (at best) for Photoshop.

My Mac on the other hand, is great for programming, testing perl, c and other things that I may be putting onto our webservers right out of the box with OS X (Panther) installed. It is outstanding for Photoshop, editing video, audio and other tasks that the Mac has traditionally been good at. I would never dream of playing games on it though, because that would require me to use VPC for the games I want to play and that would be too slow :)

Our un*x boxen are just that. Our production servers. They work, and until we replace them with the XServes we are hoping to get, I have no complaints about them. They just do their job, but I wouldn't want them as desktops to do my normal work on either.

Every machine I use has its purpose, and I aquired each one for the purpose I felt it was best suited to. In my personal collection of machines, the majority of them are Macs, I use them simply because they work, I don't come home and worry about things like the Sasser Worm and it's variants and all the associatedSpyware that I would likely encounter were I running Windows at home.

It is a personal choice, based on my needs. I know that I could run some

Or should we just play it safe due to the likelyhood of potential legal wranglings with large commercial interests and start calling it The Symantec Web before the boys in charge decide to open up a keg on your hippy ass!!! I'm sure El Capitan would be none too pleased, but hey! You certainly can't please everybody! These are the times we're living in!

Amazing how easy it is to feell like a gray haired grumpy old man at 35 when it comes to the web! eeehhh...when I was a kid, we had 4 KAAAAY of CORE MEMORY...1 MHz and NO SHOES! and we LIKED IT!!!

I skimmed through the article, which didn't have many technical details. Here's what we do at work:

You can integrate the service pack into the setup (which will be especially useful when SP2 arrives) so that it's installed at the same time. This works with Windows 2000 and up.

You can then use Sysprep (brief introduction) to automatically deploy the latest patches the first time the machine boots.

Here's a nice article on how to burn the result to a bootable CD.

It's a bit of work, and requires constant maintenance but it saves a lot of headaches in the long run.

An easier method, if you have a lot of machines with identical specs. Build a template machine with the OS installed, adding all the service packs, patches, etc. Use software like Ghost to make an image for deploying to multiple machines.

Who says the stuff you learn on an MCSE isn't useful? :-)

I personally think she discovered it while her computer was infected with the Irish Virus

Its a shame that its come to the point where a worm will exploit another worm to screw stuff up. I am so glad I moved to linux.

What about OS X?

You've got yours too.

Ok, it's a trojan, not a worm, but no system is 100% secure.

Clicking the above link install this worm - here are removal instructions.

W32.Wallon.A@mm is a mass-mailing worm that sends email messages containing a hyperlink to download the worm body from certain URLs. It also harvests the email addresses on the infected machine.

The worm exploits the following vulnerability: Microsoft Security Bulletin MS04-004
http://www.microsoft.com/technet/security/bulletin /ms04-004.mspx

Related Web Sites for removal instructions:
http://securityresponse.symantec.com/avcenter/venc /data/w32.wallon.a@mm.html

http://us.mcafee.com/virusInfo/default.asp?id=desc ription&virus_k=125096

Germany is really cracking down today! Either that, or perhaps the Sasser writer gave up the Phatbot author? I'm guessing that one arrest lead to the other, considering Phatbot is a Sasser derivative.

Germany is really cracking down today! Either that, or perhaps the Sasser writer gave up the Phatbot author? I'm guessing that one arrest lead to the other, considering Phatbot is a Sasser derivative.

I may be wrong, their may be an AntiVirus product out there that deals with SpyWare. If there is, please let me know!

Norton AV 2004 has integrated spyware detection. Works pretty well, it detects spyware inside archives which Spybot S&D doesn't. It is bloatware though, and of course you have to pay for a license and the subscription for updated definitions.

macs don't get virii fo the same eason Linux doesn't. its not really common enough as a desktop OS to be worth it. but if macs ever become more popular than windows, we'll have the same thing over again.

Linux doesn't get virii? What about this one, or this one, this, this, this...
and that is just the first page of Norton Virus Query.

Mac's first page summary is 1 hoax, 1 proof-of concept, 1 Applescript to Microsoft virus and an old school Classic virus. Ironic that the only virus on that first page relates to Microsoft technology?

macs don't get virii fo the same eason Linux doesn't. its not really common enough as a desktop OS to be worth it. but if macs ever become more popular than windows, we'll have the same thing over again.

Linux doesn't get virii? What about this one, or this one, this, this, this...
and that is just the first page of Norton Virus Query.

Mac's first page summary is 1 hoax, 1 proof-of concept, 1 Applescript to Microsoft virus and an old school Classic virus. Ironic that the only virus on that first page relates to Microsoft technology?

macs don't get virii fo the same eason Linux doesn't. its not really common enough as a desktop OS to be worth it. but if macs ever become more popular than windows, we'll have the same thing over again.

Linux doesn't get virii? What about this one, or this one, this, this, this...
and that is just the first page of Norton Virus Query.

Mac's first page summary is 1 hoax, 1 proof-of concept, 1 Applescript to Microsoft virus and an old school Classic virus. Ironic that the only virus on that first page relates to Microsoft technology?

macs don't get virii fo the same eason Linux doesn't. its not really common enough as a desktop OS to be worth it. but if macs ever become more popular than windows, we'll have the same thing over again.

Linux doesn't get virii? What about this one, or this one, this, this, this...
and that is just the first page of Norton Virus Query.

Mac's first page summary is 1 hoax, 1 proof-of concept, 1 Applescript to Microsoft virus and an old school Classic virus. Ironic that the only virus on that first page relates to Microsoft technology?

macs don't get virii fo the same eason Linux doesn't. its not really common enough as a desktop OS to be worth it. but if macs ever become more popular than windows, we'll have the same thing over again.

Linux doesn't get virii? What about this one, or this one, this, this, this...
and that is just the first page of Norton Virus Query.

Mac's first page summary is 1 hoax, 1 proof-of concept, 1 Applescript to Microsoft virus and an old school Classic virus. Ironic that the only virus on that first page relates to Microsoft technology?

macs don't get virii fo the same eason Linux doesn't. its not really common enough as a desktop OS to be worth it. but if macs ever become more popular than windows, we'll have the same thing over again.

Linux doesn't get virii? What about this one, or this one, this, this, this...
and that is just the first page of Norton Virus Query.

Mac's first page summary is 1 hoax, 1 proof-of concept, 1 Applescript to Microsoft virus and an old school Classic virus. Ironic that the only virus on that first page relates to Microsoft technology?

And they laid out some bad trouble. Virus writers DO do this, even if the marketshare is small. Remember Ramen?
And of cours there's the Lion worm, etc..

It doesn't take a lot of computers to cause trouble, and no platform is wormsafe. Windows is prolific, of course, which doesn't help, but it's also got so many ways in. That's the real catalyst.

Rule for ANY operating system; When the default install is weak, you'll see worms. The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.

It also searches for interfaces which are not reserved addresses before it begins communicating, so if these are all firewalled desktop systems, why the hell do they need routable IPs anyway? Still, that's a matter of preference and owning enough address space - the point is, it really doesn't matter how the infection occurred, the fact is that it did occur, and if such a thing can happen then it can be done intentionally - infect someone's machine when you know they're going to work, which is a lot easier than directly infecting systems inside the organization.

The fact that it happened when someone brought in an infected laptop arguably makes the whole system less secure, not more.

And you can download a free prevention tool right here

• It's a worm, not a virus
• It's attacks Windows, not IE (despite Microsoft's efforts, there is still a distinction)
• For the user, the main damage is that the infected computer will shut down; I have no reference, but shutdown loops have been reported
• For the admin, the main damage is the flood of trafic sent out by the worm in search of new hosts
• The worm can use Win98/WinME boxes to propegate but cannot infect those same computers

Google cache of McAfee's page on the worm
One of symantec's pages

This link should work for the symantec description of Sasser. Sangloth I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.

This is pretty simple to sum up in my mind. Although my desktop is still running windows at work, at home I rarely see it.

But when asked the question why I have moved to Open Office from Microsoft Office, and why I have moved to Linux from Windows, what is the answer?
It's mostly about rights and freedom. I'm not yet willing to admit that I am a full out FSF supporter, though I have been a supporter of the Open Source movement. Microsoft's licensing tactics (and not just theirs but the general tactics of many other folks have led me as far away from proprietary "treat-the-custer-as-a-theif" software as I can possibly get.
Linux is great, and it has been an incredible learning experience (I've honestly never felt so dumb sitting in front of a command prompt as I did during my first Gentoo installation).

I was never a *NIX user. I never had any desire to run anything other than Windows because I was happy with the product.

But they forced me to look elsewhere, and when I did I learned what I was missing.
So IMO, what lies ahead for linux is more users...and I don't believe that is limited to the server. From the desktop side, the strides that have been made in KDE and GNOME in the last couple of revisions have made them dramatically nicer to work with. From the server side...not having to have a GUI running on a server is quite a bit more efficient.

Back in the day I remeber Microsoft recommending you change the screen saver to the black screen instead of one of those OpenGL screen savers on your Windows NT SQL server because the screen saver would bury your processor. I couldn't help but think why do I have this huge GUI running on what is supposed to resemble a somewhat powerful database server?!!

Here is what gets installed after Windows XP Home SP1a and all the patches:

1. ZoneAlarm Personal Firewall
2. Norton SystemWorks 2004
3. Lavasoft Ad-Aware
4. Spybot Search & Destroy
5. BigFix
6. Adobe Acrobat Reader
7. Mozilla Internet Suite
8. JGSoft EditPad Lite
9. WinZip
10. Yahoo! Messenger

After installing all the appropriate device drivers, the first ten items on my list would be -

1. Symantec Drive Image 2. OpenOffice.org 3. Sygate Personal Firewall Pro 4. NOD32 Anti-Virus 5. PestPatrol 6. iolo System Mechanic 7. WinRAR 8. Mozilla Firefox 9. UltraEdit 10. Nero Burning ROM

I hope that by formatting, and reinstalling you mean, restoring a disk image? Ghost is the best I've found, not free (beer or speech), but saves you _a lot_ of time. If anyone knows a free equivalent let me know. Oh, and as someone else probably have mentioned, Ad-Aware and Spybot might save you the trouble...

Norton Ghost

Netsky.B write-up

Cyberterror at Dep't of Fatherland Insecurity is headed by Amit Yoran, who owes Symantec a $145M favor. He follows the founding CyberFatherlander Howard Schmidt, who moved from strength to strength: CTO of Micro$oft while it developed the very software that leaves cyberspace as secure as the World Trade Center on September 11, 2001, and Fatherland Insecurity Czar during the glorious rise of the SpamWormVirus. Given the Bush team's success in securing Iraq and Afghanistan, always prioritizing science over mumbo-jumbo and easy, government-mandated corporate profits, I expect noting but smooth sailing fro {CHIRP} ALL YOUR FIREWALLS ARE BELONG TO US ~GZGZGZ~ NO CARRIER

Symantecally?

I've said this before, SWITCHING FROM WINDOWS TO LINUX WILL NOT ELIMINATE THE PROBLEM.
If a user does not know how to run a windows machine (keeping up to date on patches, running antivirus software, etc) then please explain to me how they'll be able to admin a linux machine. The truth of the matter is, they can't and they won't. The ranting of *nix fanbois aside, the problem exists between chair and keyboard. The email viruses that require you to open a password-protected .zip file prove that.

I'm certainly not trying to hold up windows as the platform of choice, because it sure as hell isn't mine; but regardless of your operating system of choice, if you're clueless you're clueless; and unless you fix that first, you're not going to fix the overall problem.

It might be "real damage" in some cases, but it seems to be quite stupid. According to Symantec's bulliten -

"Attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues."

Given the amount of sectors on a hard-drive, how long will it take for the worm to randomly choose the boot sectors on the boot disk?

The legality of the Trojan unknowingly installed on downloaders' computers is independent of the legal of the download. A worm that attempts to update security flaws in your system is still a worm.

The network admin (and friend) at my first job out of school was in a similar situation recently. He (and I agree though it doesn't matter) thought he was doing the "morally right" thing. It was still illeagal though.

How does this BIOS read NTFS? I thought MS hadnt licensed that tech..

I'm pretty sure that MS has. PartitionMagic and Ghost, for example, can both read and write NTFS partitions.

The specs for NTFS have not been released publicly, which is why the Linux implementation of NTFS is so incomplete.

How does this BIOS read NTFS? I thought MS hadnt licensed that tech..

I'm pretty sure that MS has. PartitionMagic and Ghost, for example, can both read and write NTFS partitions.

The specs for NTFS have not been released publicly, which is why the Linux implementation of NTFS is so incomplete.

Any proof or facts to point this out, or is this just another one of your false blanket statements?

Now, anyone semi-profficient in visual basic can write a very destructive virus.

Yet another blanket statement with no proof or backup.

In any of your posts I have yet to see any facts, the only fact that you have presented is that you don't have any resources or any backup/proof for anything you say.

Say hi to Tanya for me.

Any proof or facts to point this out, or is this just another one of your false blanket statements?

Now, anyone semi-profficient in visual basic can write a very destructive virus.

Yet another blanket statement with no proof or backup.

In any of your posts I have yet to see any facts, the only fact that you have presented is that you don't have any resources or any backup/proof for anything you say.

Say hi to Tanya for me.

Any proof or facts to point this out, or is this just another one of your false blanket statements?

Now, anyone semi-profficient in visual basic can write a very destructive virus.

Yet another blanket statement with no proof or backup.

In any of your posts I have yet to see any facts, the only fact that you have presented is that you don't have any resources or any backup/proof for anything you say.

Say hi to Tanya for me.

Doesn't look like the same payload as descibed in above posts. Still a nasty little bugger.

Yes, but the factor of this story which made it Newsworthy for Nerds was not the existance of the virus, but rather its novel method of conveyance, the apparent complexity of its API, and the level of sophistication it displays. We are interested in that kind of thing.

There are DOZENS of new viruses and variants discovered every month. Slashdot only reports the ones we might find interesting, the ones that are really nasty, for one reason or another. That's why for a complete list of viruses to watch out for, you'd check out Symantec and others. For the "gee that's scary, let's bash Microsoft" list, you check /.

Now that is a familiar name. I once accedentally joined (and for whatever reason didnt leave) an irc channel where agobot was being used and updated on about 60 users. Perhaps this was a beta testing of the worm, but it was still trying to actively infect users back in October '03. At the time I submitted that exe to symantec and it was promptly included in the next defs.

Didn't someone try that with This Worm
I dont like the idea of someone running code on someone elses machine, even if they are a clueless newbie

That's precisely what GoBack does for modern versions of Windows. It's saved my skin a few times, when I screwed up my video drivers or deleted the wrong directory by mistake...

Hmmm, these kind of sites are becoming a nuisance.

Sorry, that website uses broken embed tags and Windows-specific registry CLSIDs to point to quicktime player. I don't have a "registry" or a "quick time" player. For those of us who choose our own browser helper applications (instead of it being decided by a "registry") here is the relevant link.

For those of you with a "registry" that decides which applications will open what, and when, you might want to go here.

FYI, I am posting AC for a reason. The company I work for does roll-outs and tech support for small cable companies. Scripts are in place to automatically deactivate accounts with high upload/download bandwidth (meaning trojan p2p programs) and techs monitor e-mail usage. Problem with an account? Notify account holder and de-activate account. If the account holder can't be notified, the account is de-activated anyways.

It's time people start taking responsibility for their actions when using a computer. Computers need to be patched frequently with Windows Update. AntiVirus programs such as Norton Antivirus, Mcafee VirusScan, or Trend Micro PC-Cillin (my personal favorite) are needed with updates and scans run, at the very least, weekly. Computers also need anti-trojan programs such as The Cleaner and anti-spyware programs such as Spybot Search & Destroy and Adaware. Even go as far not to use the default Internet programs, Internet Explorer and Outlook Express. Instead, use free, open source programs such as Mozilla Firefox (browser) and Thunderbird (e-mail).

Naturally, the majority of people on /. know this, but we need to spread the word.

This is great except my dad would never go for it. He loves Winblows, AOL and Excel and will not wane off of them. Yes you can use all of them on an iMac, but he wants his PC. He was having problems with it booting and it took forever to login and get to the desktop. I downloaded Ad-Aware and (hint: Updated it) and it removed over 200 items. Whatever was causing his slowdowns, Ad-Aware took care of it. The only other option I would suggest is Norton's Internet Security 2004 . This includes AntiVirus 2004 with spamware support.