Sender: |
|
Subject: |
|
From: |
|
Date: |
Thu, 25 Mar 2004 14:07:33 -0500 |
Content-Type: |
TEXT/PLAIN; charset=US-ASCII |
MIME-Version: |
1.0 |
Reply-To: |
|
Parts/Attachments: |
|
|
New variants of a virus known as agobot (also known as gaobot,
phatbot, or polybot) are spreading to computers on campus. Affected I.T.
departments have already been notified, however many of the infected
systems are personal laptops or other systems which are owner managed -
this is a general warning regarding the activity and how to prevent and/or
remove infections.
The virus is sophisticated and will do the following after it has infected
a computer:
1) attempts to terminate any existing anti-virus software
2) modify system so it cannot access certain websites, including
preventing anti-virus signature updates
3) opens a backdoor so it can be remotely controlled or allow others
access to the system and data
4) captures usernames and passwords typed into the system
5) connects to an external IRC server to await remote commands
6) attempts to copy itself to any available network shares including
Novell drive mappings.
7) scans the network for other systems to infect
The network scanning is causing disruption of I.T. services in some areas.
Infected systems may become unresponsive or unusually slow.
PREVENTION
Following the three steps in the windows security checklist here will
prevent infection:
http://infosec.yorku.ca/FAQ/windows_security_3step.html
1) Choosing strong passwords
2) Using automatic security patches
3) Using automatic anti-virus updates
***In particular, using strong passwords for accounts is essential***
In addition to user accounts, Windows NT, 2000, XP and 2003 all have a
*local* "Administrator" account by default - this account must have a
strong password - many of the infected systems have been compromised via a
weak password on this account. This is IN ADDITION to any
domain/tree-level Administrator accounts.
DETECTION
As previously mentioned, unusually slow response from the computer is a
potential indication that the computer is infected. Also, if you cannot
access anti-virus vendor web sites such as "www.nai.com" or "us.mcafee.com".
REMOVAL
As there are many variants, the exact removal procedure is subject to
change. Please contact your local technical support group for assistance.
--
Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
[log in to unmask]
|
|
|