Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Virus Takes Out Gov't Agencies in MD, PA

Posted by michael on from the no-great-loss dept.

Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.

5 of 984 comments (clear)

  1. Want to see the code? by westyvw · · Score: 5, Informative

    DSL reports has a security forum that has been taking this sucker apart and giving us the code:

    have a look:

    http://www.dslreports.com/forum/remark,7649146~r oo t=security,1~mode=flat

  2. Re:Yes by Anonymous Coward · · Score: 5, Informative

    Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.

  3. Re:Yes by websaber · · Score: 5, Informative
    It contains the message

    "I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"

    Doesn't mean there is a agenda but there could be.

    --
    "A good friend will bail you out of jail. A true friend will be sitting next to you saying, 'damn....that was fun!'"
  4. Our system by Jade+E.+2 · · Score: 5, Informative
    I'm an admin for a local County department. While our network was mostly unaffected (I'll get to that in a second), the county's Central IS department, that runs the county backbone from which we get our internet feed, had their exchange 5.5 box (on nt4 - not patchable) go down sometime really early this morning.

    My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.

    It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.

    So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?

  5. Actually, our hospital was hit pretty bad today by PIPBoy3000 · · Score: 5, Informative

    I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.

    It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.