We will be sending out a mailing to users whose computers appear to be
infected with the Phatbot / Gaobot worm. We've been informed by Merit and
other sources that a few hundred computers plugged into msu.edu appear to be
infected. The vast majority of infected computers appear to be in residence
halls, but here, per request of NAG, is a heads-up about the mailing.
The final mailing may vary slightly from this wording.
-- Rich Wiggins
Senior Information Technologist
Academic Computing & Network Services (ACNS)
______
From: Academic Computing and Network Services (ACNS)
You are receiving this memo because a computer registered in your name
appears to be infected with a “worm” (a form of computer virus). An
Internet service provider has informed MSU that your computer is attempting
to infect computers on their network. You need to take immediate action to
disinfect your computer and patch your operating system to prevent future
infections. If you do not take action, your computer’s files may be
destroyed or your personal data may be compromised.
The affected computer(s) are:
<<insert IP addresses etc. here>>
For MSU-owned computers, contact departmental computer support staff before
taking any action. If support staff are not available, shut the computer
down until you are able to make contact. All others should take immediate
steps to disinfect the computer. If this is not convenient, shut the
computer down and unplug it from the network until you are able to take
action.
The worm in question is known as Gaobot, also known as Phatbot or Agobot.
Computers running Windows are susceptible to infection. The worm exploits
vulnerabilities in Windows previously exploited by Blaster, Welchia, and
other earlier worms.
This worm opens your computer to remote control by persons elsewhere on the
Internet, and may send confidential information stored on your computer to
hackers in remote locations. More information about this worm is at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.
html
A tool developed by Symantec will remove some variants of this worm; see:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.remo
val.tool.html
The tool may report that Gaobot was not found on your system, even if a
Gaobot variant has in fact infected it. If the tool does not work, you may
need to take other steps. In some cases it will be necessary to reformat
your hard drive and reinstall Windows. Contact the ACNS help desk at
517-432-6200 for assistance.
You need to complete the following steps:
- Consider using a software firewall such as Zone Alarm or Black Ice to
protect your computer from worm attacks. If you run Windows XP, consider
turning on the built-in Internet Connection Firewall (ICF).
- Disinfect your computer using the Symantec removal tool or any other
method you prefer.
- Run Windows Update and install ALL critical operating system updates. To
run Windows Update, visit:
http://windowsupdate.microsoft.com
- Run up-to-date anti-virus software.
Microsoft provides complete instructions on how to protect your Windows PC
at this address:
http://www.microsoft.com/security/protect/
Please see http://help.msu.edu/virus for further information. If you have
questions, contact the ACNS help desk at 517-432-6200.
