Thank you Doug, It looks like all our fixed IP machines are now clean at the law college. Since some of our part-time faculty register their laptops via DHCP, we have had a hard time tracking down some infected machines (since they may only be on campus one or two days a week.) We'll get them clean as soon as they are back in the building. A question for you: some of the addresses on the list, when I managed to track them down, belong to student laptops who have registered their computers in the DHCP database. Are you sending emails to students when a DHCP address registered to a student shows up on these lists? Since they all had to register using their Pilot IDs, I was curious to know if you are running this list against the DHCP registry to notify students? Or are you expecting the network administrators to try and identify student machines that are infected? Thanks for all your hard work on this. I know I am not the only one who appreciates all your hard work in helping us track down infected machines. John A. Resotko Head of Systems Administration MSU - Detroit College of Law 208 Law College Building East Lansing, MI 48824-1300 email: [log in to unmask] Phone: 517-432-6836 Fax: 517-432-6861 >>> [log in to unmask] 08/20/03 07:54PM >>> Please note: I have now posted today's list of infected computer systems to the web site listed below. The current list includes systems which are doing ICMP (ping request) scans, as well as Microsoft network scans. The ICMP scans are primarily a result of the "W32.Welchia" worm, whereas the port 135 scans are primarily from "W32.Blaster". Both worms exploit the MS DCOM vulnerability. Doug Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University Forwarded message: Subject: IMPORTANT: Many campus systems port scanning To: [log in to unmask] (IP Host Managers), [log in to unmask] (MSU Security Announce), [log in to unmask] (MSU Network Administrators Group) Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT) X-Mailer: ELM [version 2.5 PL2] Content-Length: 835 Important message to all campus system and network administrators: We are experiencing a high volume of Microsoft network scans, coming from over 450 computer systems on the campus network. In order to speed up the process of contacting system administrators, the list of IP addresses has been posted. Please review the following site for systems under your control: http://network.msu.edu/msu/portscan.html Also included are pointers to several resources which may aid in controlling and removing the viruses/worms involved in these port scans. The list of IP addresses will be revised later today, as we gain further information on the level of port scanning on the campus network. Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University