To all...
I posted this warning to the IMail list as well as the Declude list, and
someone responded with the following link on August 16th:
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html
Symantec has more precise information regarding the worm than I can offer (in
fact, they posted some not-so-obvious registry changes we did not find), and
they report that other antivirus companies are now aware of this problem.
I believe we were infected by this worm early on August 15th, before any of the
virus companies had a block/fix for it. I was just trying to get the word out
to others to spare them the 2 days of frustration we went through tracking this
down.
Although I do not know exactly how we got the worm, I can only surmise that one
of our customers opened an HMTL page containing a *.jpg file containing the
worm which takes advantage of the Plug and Play functionality of Windows (see
Symantec explanation). Last night, our local news in San Diego reported that
the city's entire network was brought down by this worm as well as some local
companies. They went on to say that the worm was extemely virulent and just
viewing the HTML page was enough to trigger it...
Once infected, the worm was opening port scans throughout our network creating
a data traffic storm, thus bringing our network to a crawl.
Needless to say, we made certain all our servers were up to date with Microsoft
patches.
I hope this helps!
--
Kim W. Premuda
FastWave Internet Services
San Diego, CA
--
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
