We will be sending out a mailing to users whose computers appear to be infected with the Phatbot / Gaobot worm. We've been informed by Merit and other sources that a few hundred computers plugged into msu.edu appear to be infected. The vast majority of infected computers appear to be in residence halls, but here, per request of NAG, is a heads-up about the mailing. The final mailing may vary slightly from this wording. -- Rich Wiggins Senior Information Technologist Academic Computing & Network Services (ACNS) ______ From: Academic Computing and Network Services (ACNS) You are receiving this memo because a computer registered in your name appears to be infected with a “worm” (a form of computer virus). An Internet service provider has informed MSU that your computer is attempting to infect computers on their network. You need to take immediate action to disinfect your computer and patch your operating system to prevent future infections. If you do not take action, your computer’s files may be destroyed or your personal data may be compromised. The affected computer(s) are: <<insert IP addresses etc. here>> For MSU-owned computers, contact departmental computer support staff before taking any action. If support staff are not available, shut the computer down until you are able to make contact. All others should take immediate steps to disinfect the computer. If this is not convenient, shut the computer down and unplug it from the network until you are able to take action. The worm in question is known as Gaobot, also known as Phatbot or Agobot. Computers running Windows are susceptible to infection. The worm exploits vulnerabilities in Windows previously exploited by Blaster, Welchia, and other earlier worms. This worm opens your computer to remote control by persons elsewhere on the Internet, and may send confidential information stored on your computer to hackers in remote locations. More information about this worm is at: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen. html A tool developed by Symantec will remove some variants of this worm; see: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.remo val.tool.html The tool may report that Gaobot was not found on your system, even if a Gaobot variant has in fact infected it. If the tool does not work, you may need to take other steps. In some cases it will be necessary to reformat your hard drive and reinstall Windows. Contact the ACNS help desk at 517-432-6200 for assistance. You need to complete the following steps: - Consider using a software firewall such as Zone Alarm or Black Ice to protect your computer from worm attacks. If you run Windows XP, consider turning on the built-in Internet Connection Firewall (ICF). - Disinfect your computer using the Symantec removal tool or any other method you prefer. - Run Windows Update and install ALL critical operating system updates. To run Windows Update, visit: http://windowsupdate.microsoft.com - Run up-to-date anti-virus software. Microsoft provides complete instructions on how to protect your Windows PC at this address: http://www.microsoft.com/security/protect/ Please see http://help.msu.edu/virus for further information. If you have questions, contact the ACNS help desk at 517-432-6200.