LISTSERV - YORK-ANNOUNCE-L Archives

YORK-ANNOUNCE-L Archives

York U. announcements list - READ ONLY

YORK-ANNOUNCE-L@YORKU.CA

	LISTSERV Archives
	YORK-ANNOUNCE-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	INFOSEC ADVISORY: agobot/phatbot infections on campus
From:	Chris Russel <[log in to unmask]>
Reply To:	Chris Russel <[log in to unmask]>
Date:	Thu, 25 Mar 2004 14:07:33 -0500
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (65 lines)

New variants of a virus known as agobot (also known as gaobot,
phatbot, or polybot) are spreading to computers on campus.  Affected I.T.
departments have already been notified, however many of the infected
systems are personal laptops or other systems which are owner managed -
this is a general warning regarding the activity and how to prevent and/or
remove infections.

The virus is sophisticated and will do the following after it has infected
a computer:

1) attempts to terminate any existing anti-virus software
2) modify system so it cannot access certain websites, including
preventing anti-virus signature updates
3) opens a backdoor so it can be remotely controlled or allow others
access to the system and data
4) captures usernames and passwords typed into the system
5) connects to an external IRC server to await remote commands
6) attempts to copy itself to any available network shares including
Novell drive mappings.
7) scans the network for other systems to infect

The network scanning is causing disruption of I.T. services in some areas.
Infected systems may become unresponsive or unusually slow.


PREVENTION

Following the three steps in the windows security checklist here will
prevent infection:

http://infosec.yorku.ca/FAQ/windows_security_3step.html

1) Choosing strong passwords
2) Using automatic security patches
3) Using automatic anti-virus updates

***In particular, using strong passwords for accounts is essential***

In addition to user accounts, Windows NT, 2000, XP and 2003 all have a
*local* "Administrator" account by default - this account must have a
strong password - many of the infected systems have been compromised via a
weak password on this account.  This is IN ADDITION to any
domain/tree-level Administrator accounts.



DETECTION

As previously mentioned, unusually slow response from the computer is a
potential indication that the computer is infected. Also, if you cannot
access anti-virus vendor web sites such as "www.nai.com" or "us.mcafee.com".


REMOVAL

As there are many variants, the exact removal procedure is subject to
change.  Please contact your local technical support group for assistance.


--
Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.YORKU.CA