Subject: | |
From: | |
Reply To: | |
Date: | Wed, 13 Aug 2003 09:45:13 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
We are still working to identify and inform administrators about
currently infected machines.
To that end, if you find a machine that is unable to access resources
off it's subnet, it probably has been filtered. If so, please examine
the machine, follow the instructions in the CERT advisory at the end
of this note and access will be re-granted in order to obtain and
apply patches.
Also note that ports 135-139 and 4444 have been filtered between
campuses to also curb infections. We realize this may cause some
issues for users. This will be lifted once we feel comfortable that the
problem is under control.
Currently we are still seeing at least 100 infected machines actively
running scans.
You may reference the following for more information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blast
er.worm.html
> CERT Advisory CA-2003-20 W32/Blaster worm
.....
> CERT/CC recommends the following:
> 1. Physically disconnecting the system from the network
> 2. Check the system for signs of compromise.
> + In most cases, an infection will be indicated by the
> presence
> of the registry key
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
> ion \Run\windows auto update" with a value of
> msblast.exe. If this key is present, remove it using a
> registry editor.
> 3. If you're infected, terminate the running copy of
> msblast.exe
> using the Task Manager.
> 4. Take one of the following steps to protect against the
> compromise
> prior to installing the Microsoft patch:
> + Disable DCOM as described below
> + Enabling Microsoft's Internet Connection Filter (ICF),
> or
> another host-level packet filtering program to block
> incoming connections for 135/tcp
> 5. Reconnect the system to the network and apply the patches in
> the
> recommended manner
|
|
|