YORK-ANNOUNCE-L Archives

York U. announcements list - READ ONLY

YORK-ANNOUNCE-L@YORKU.CA

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Sender:
"York U. announcements list - READ ONLY" <[log in to unmask]>
Subject:
From:
Chris Russel <[log in to unmask]>
Date:
Thu, 25 Mar 2004 14:07:33 -0500
Content-Type:
TEXT/PLAIN; charset=US-ASCII
MIME-Version:
1.0
Reply-To:
Chris Russel <[log in to unmask]>
Parts/Attachments:
TEXT/PLAIN (65 lines)
New variants of a virus known as agobot (also known as gaobot,
phatbot, or polybot) are spreading to computers on campus.  Affected I.T.
departments have already been notified, however many of the infected
systems are personal laptops or other systems which are owner managed -
this is a general warning regarding the activity and how to prevent and/or
remove infections.

The virus is sophisticated and will do the following after it has infected
a computer:

1) attempts to terminate any existing anti-virus software
2) modify system so it cannot access certain websites, including
preventing anti-virus signature updates
3) opens a backdoor so it can be remotely controlled or allow others
access to the system and data
4) captures usernames and passwords typed into the system
5) connects to an external IRC server to await remote commands
6) attempts to copy itself to any available network shares including
Novell drive mappings.
7) scans the network for other systems to infect

The network scanning is causing disruption of I.T. services in some areas.
Infected systems may become unresponsive or unusually slow.


PREVENTION

Following the three steps in the windows security checklist here will
prevent infection:

http://infosec.yorku.ca/FAQ/windows_security_3step.html

1) Choosing strong passwords
2) Using automatic security patches
3) Using automatic anti-virus updates

***In particular, using strong passwords for accounts is essential***

In addition to user accounts, Windows NT, 2000, XP and 2003 all have a
*local* "Administrator" account by default - this account must have a
strong password - many of the infected systems have been compromised via a
weak password on this account.  This is IN ADDITION to any
domain/tree-level Administrator accounts.



DETECTION

As previously mentioned, unusually slow response from the computer is a
potential indication that the computer is infected. Also, if you cannot
access anti-virus vendor web sites such as "www.nai.com" or "us.mcafee.com".


REMOVAL

As there are many variants, the exact removal procedure is subject to
change.  Please contact your local technical support group for assistance.


--
Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
[log in to unmask]

ATOM RSS1 RSS2