[SGVLUG] ack -- finally got "wormed" at work

Tom Emerson osnut at pacbell.net
Tue Aug 16 18:29:54 PDT 2005


Well, it finally happened -- or rather, I should say, "if finally happened TO 
ME" -- but the computer I use at work(*) fell victim to a worm.  Now, I pride 
myself on being pretty good about not opening "suspicious" stuff, and I don't 
have any qualms about leaving the system "on" overnight on tuesday nights so 
the admins can mass-update the company's computers, but it looks like this 
was one not even my "best practices" could avoid. (see below)

From the looks of it, "zotob" has struck, and used a known-for-a-week-now 
security hole in MS's plug-n-play subsystem.  Unfortunately, I had to come 
home to use my linux system to find out about it -- my computer was "forcibly 
shutting down" within a minute after logging in.  (tried to open a browser to 
check www.cert.org, but couldn't connect before the system rebooted...)

This article in information week points out that it uses anonymous access, 
thus giving me a little sense of relief in that I didn't "do anything" to 
enable it to attack my computer (such as open an e-mail or browse to an 
infected site)

http://informationweek.com/story/showArticle.jhtml?articleID=168602115

The article mentioned that once infected, it uses ftp to propagate, which  I 
kind of figured was the case because at one point during the boot-up process 
I immediately started the "task manager" and noticed that the "tftp" process 
was executing!  [and no, I couldn't kill it -- I tried]

Tom

(*) yes, it's a windows system at work -- while I know worms are far more 
likely to strike a windows system, I'm pragmatic about the whole thing: it 
does pay the bills quite nicely...

-- 
blogref temporarily disabled for the Rabbi's benefit ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://vorean.sgvlug.org/pipermail/sgvlug/attachments/20050816/a4c3263b/attachment.bin


More information about the SGVLUG mailing list