morning fun - Lograh — LiveJournal
14:04 - morning fun
Damn, I just spent the last 6 hours straight cleaning up computers from the damn lovesan worm.. and there's still a few more for me to get to, I'm just taking a crepe break so I can finish out the day.
The joys of having a college that's moving to WinXP and your only co-worker being on a three-week vacation. JOY! :)
W32/Lovsan.worm is a joyous little piece of fun some scriptkiddie wrote up to take advantage of existing wide-open holes in WinXP (technically, any WindowsNT machine after 4.0 : this includes XP, 2K etc...). Basically what it does is an infected machine looks out on the internet for any unpatched computer it can connect to. It then connects all the computers it finds and tells them to copy itself from the infected machine to themselves. Then it tells them to run the copy they downloaded. All this is done without userintervention. Just having a machine that is slightly behind on the patches and connecting it to the internet is enough to get infected. You don't have to surf to any website, read any email, or load any programs at all. Just being connected gets you infected.
How to clean it is actually really easy (just time consuming when you have over a hundred computers to clean :) ), first you install the patch (found here) and then you'll have to reboot. This will make it so you can't get any new infections, if you are allready infected it doesn't clean that out. The second step is to download the stand-alone virus scanner (found here) and run it. It will automatically kill any copies of the virus it finds. if your computer is rebooting too often to let the scanner find the virus and kill it, take a moment before starting the scan to remove "C:\" from the list of directories scanned and use the "browse" button to put "C:\windows\system32" in the list, then scan. That should find it in time.
If anyone has any other info, please share. I'd love to hear more or if I'm wrong.
now I'm off to go clean some more computers.. Have fun!
(ob. MSjab: my office computer was immune to this, being that I run Linux. :) )
edited to correct a bit where I mistakenly implied it was limited to just WinXP. It's all versions of NT from 4 up (XP being included in that list).