ITSD Computing and Communications Services News
November, 2002

CCS News Home
Back Issues
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: What the Lab's Virus Wall Has Been Catching

This month there were once again few surprises in terms of the most detected and eradicated viruses and worms. The Klez.H worm again was the top offender with 6,514 instances detected and eradicated, followed by the Yaha.E worm with 1,912, followed by the Bugbear.A worm with 1,416 instances. Once again the VirusWall proved its great value to the LBNL user community.

The most significant new worm to surface was the Gaobot worm, which gains access to Windows systems through shares. It enters a blank password for the Administrator account or runs a password-cracking attack against accounts such as Administrator, Guest, owner, and others. Once it connects to a share, it installs Trojan horse programs woinggg.exe and sysldr32.exe or sysmgr.exe in the system32 directory of the victim system. It then creates an outbound connection on TCP port 9900, and scans other systems on TCP port 445. Gaobot is a very serious threat. Your best recourse is to ensure that you do not share your Windows system's hard drive if you do not need to, that all accounts on your system have strong (difficult-to-guess) passwords. This worm seeks unprotected shares, so turn off any unnecessary shares to your system. If you have to use shares, be sure to not only use password protection, but also choose a strong password to avoid being a future target.

For tips, see "Choosing a Password" and "Password Guidelines," on the Computer Protection Program Web site. Also check to make sure that your system's antivirus software is up to date. If your system becomes infected, remove the system from the network and eradicate the virus prior to placing the system back on the network; failure to do so can result in further infections. If you are not sure exactly what to do, dial 486-HELP or email help@lbl.gov.

Additionally, the Friendgreet worm has started to make its way around the Internet. This worm sends email indicating that an electronic greeting card is waiting for the recipient at an indicated URL. If the recipient visits the site, the Windows system in use becomes infected and then sends messages to other systems that a greeting card is waiting.

To further complicate the situation, a hoax, the "virtual card virus" hoax, is also spreading around the Internet. This latest one comes in the form of a warning message that cautions those who receive it to not open a virtual card that they have received. The message claims that a virus infection can result from either connecting to the hyper link for the virtual card or from opening the message, and that simply typing a single word can cause the virus to be sent to others. If you receive a message with such contents, simply delete it, and be sure to not forward it to others. Given all that is happening, it is (unfortunately) probably best to not open any virtual greeting card if you are using a Windows system.

Read more about these and many other worms and viruses (including how to eradicate them from an infected system).