Hello again everyone,
First let me state up-front that neither my last message, nor this one, is
intended as a complaint. I fully support everything that the MSU Computer
Lab staff are trying to do to contain this outbreak, and I and my staff will do
everything we can to assist.
After speaking with Rich Wiggins on the phone, he asked me to relate some
of my experiences trying to isolate and patch computers for the various
Microsoft vulnerabilities. Since MSU-DCL starts classes a week before the
rest of MSU, I started sending emails to Faculty and Staff last Monday to
warn them NOT to skip the next Windows Update message they receive, but to
install anything and everything suggested. We had a number of faculty who
were away for months, or may never have turned on their laptops over the summer
who were ripe for infection. We managed to keep most of them from catching the
first round of worm infections last week. If you have Windows Update setup
to automatically download and install patches, than this obviously doesn't
apply. If you have faculty who left their computers off all summer, and you have
the rights to enter their offices before they return, you may want to start
throwing some of your student help at updating those PCs before they get
back.
Since Saturday, the 2nd day of the law school orientation, we've been
helping students download and run fixBlast.exe from
www.norton.com, as well as use the Shutdown /a
switch to keep the infected XP workstations from shutting down long enough to
actually run the fix and download the patch from Microsoft. We've handed
out over 50 CDs with fixBlast.exe plus patches for XP and Win2k on them, as well
as many floppies with fixBlast.exe and the Microsoft patch for XP on them.
We've also handed out about a hundred copies of the PDF file that was made
available at
http://help.msu.edu/virus/blaster.html
Unfortunately, the instructions on this PDF aren't valid for students who's
network access is already cut off (since it requires net access to download the
files.) I've been advising students who have cleaned up their PCs and
laptops to call the number listed on the DHCP website for reinstatement, but
that turned up another issue today. Students have been running the fix and
patch programs directly from the CDs we provided. The fixblast.exe program
tries to write a log file to the same location where it was run by default, so
for many of our students, the program doesn't generate a logfile since it can't
write to the CD. Unfortunately, the consultants at MSU are asking for this
logfile as proof that the PC is clean before allowing students back on the
network. I've already had reports from our students that they've been
denied reinstatement, even after they clean their PCs and laptops. I've passed
that information on to Rich last time I spoke with him, but I just wanted to
share that with everyone who is currently helping students.
I'm preparing a new CD with the fix files for Blaster, Welchia, Sircan, and
Mtx infections, as well as the blaster patches for XP and Wind2K, and the IE6
SP2 and Win2K SP4 files. I will probably manually add the most recent
Microsoft patches that were announced today to this disk as well. That should
take care of the majority of patches needed by new and returning students who
may not have updated their PCs or laptops all summer long. (My techs have been
manually disconnecting faculty and staff PCs from the net, and running all the
patches from clean CD copies until we are sure they are clean, then restoring
their network connection.)
I have also been running regular scans within my building on
our machines that are on fixed IP ranges, using a free tool downloaded from
www.eEye.com (which was suggested to me
by Joe Budzyn. Thanks Joe!) It's helped me catch a few machines here and
there.
Any thoughts, suggestions, or techniques you've used to try and stay ahead
of infections on Faculty, Staff, and/or Student computers would be greatly
appreciated. Sharing information is one of the best ways we can get clean and
keep machines free of infection. My thanks to everyone for their hard work
and diligence in trying to stop the spread of these infections on the campus
network.
John A. Resotko
Head of Systems Administration
MSU - Detroit College
of Law
208 Law College Building
East Lansing, MI
48824-1300
email:
[log in to unmask]Phone:
517-432-6836
Fax: 517-432-6861