?

Log in

No account? Create an account

morning fun - Lograh — LiveJournal

Tuesday, 12.Aug.2003

14:04 - morning fun

Previous Entry Share Flag Next Entry

Damn, I just spent the last 6 hours straight cleaning up computers from the damn lovesan worm.. and there's still a few more for me to get to, I'm just taking a crepe break so I can finish out the day.

The joys of having a college that's moving to WinXP and your only co-worker being on a three-week vacation. JOY! :)



W32/Lovsan.worm is a joyous little piece of fun some scriptkiddie wrote up to take advantage of existing wide-open holes in WinXP (technically, any WindowsNT machine after 4.0 : this includes XP, 2K etc...). Basically what it does is an infected machine looks out on the internet for any unpatched computer it can connect to. It then connects all the computers it finds and tells them to copy itself from the infected machine to themselves. Then it tells them to run the copy they downloaded. All this is done without userintervention. Just having a machine that is slightly behind on the patches and connecting it to the internet is enough to get infected. You don't have to surf to any website, read any email, or load any programs at all. Just being connected gets you infected.

How to clean it is actually really easy (just time consuming when you have over a hundred computers to clean :) ), first you install the patch (found here) and then you'll have to reboot. This will make it so you can't get any new infections, if you are allready infected it doesn't clean that out. The second step is to download the stand-alone virus scanner (found here) and run it. It will automatically kill any copies of the virus it finds. if your computer is rebooting too often to let the scanner find the virus and kill it, take a moment before starting the scan to remove "C:\" from the list of directories scanned and use the "browse" button to put "C:\windows\system32" in the list, then scan. That should find it in time.

If anyone has any other info, please share. I'd love to hear more or if I'm wrong.

now I'm off to go clean some more computers.. Have fun!

(ob. MSjab: my office computer was immune to this, being that I run Linux. :) )

edited to correct a bit where I mistakenly implied it was limited to just WinXP. It's all versions of NT from 4 up (XP being included in that list).

Comments:

(Deleted comment)
[User Picture]
From:lograh
Date:16:00 12.Aug.2003 (UTC)
(Link)
I mistyped when I implied it is limited to XP. it's in 2K also, so you'll definately be needing to use these files on his computer.

Luckilly, they only need 2 floppies (one file per floppy) so you can disconnect his computer from the net while you are cleaning it to minimise the chance of external influence.
(Reply) (Parent) (Thread)
[User Picture]
From:ox_number_10
Date:14:31 12.Aug.2003 (UTC)
(Link)
I guess I should get the patch too.
(Reply) (Thread)
[User Picture]
From:gravilim
Date:14:49 12.Aug.2003 (UTC)
(Link)
It's a hole in 2000 as well, both server and Pro. I don't know if it goes back to NT4/98 or not.

We've been spanked by it all day, and our push of the patch at the end of last week only seemed to hit part of our systems, as today we've been staring at 12-14 minute hold times all day long. Wheee! :)
(Reply) (Thread)
[User Picture]
From:lograh
Date:15:54 12.Aug.2003 (UTC)
(Link)
Yeah, the patch link I gave is to the base info site for it, so you can d/l the patch for 2k as well..

98 is not affected by this, NT4 and above are. Thanks for pointing out that tidbit.
(Reply) (Parent) (Thread)
[User Picture]
From:mr_destructo
Date:22:19 12.Aug.2003 (UTC)
(Link)
i was really lucky and didnt get hit too bad by this, but i still dloaded the patch just incase, and ran my mc afee

(Reply) (Parent) (Thread)