Re: [Declude.JunkMail] VIRUS WARNING

[Matt]

Kim, This most likely wasn't from an infected JPG.  This vulnerability is attacked through TCP ports: Microsoft Security Bulletin MS05-039 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx ... Block TCP ports 139 and 445 at the firewall: These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site. Patching is of course necessary, but you might think about doing some port blocking on your router and creating walls (ACL's & VLAN's) between your customers' equipment and your own.  Generally speaking, there are less than 10 ports that need to be opened in order to provide full hosting and E-mail services, and you would be much less likely to get worms. Matt Kim Premuda wrote: To all... I posted this warning to the IMail list as well as the Declude list, and someone responded with the following link on August 16th: http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html Symantec has more precise information regarding the worm than I can offer (in fact, they posted some not-so-obvious registry changes we did not find), and they report that other antivirus companies are now aware of this problem. I believe we were infected by this worm early on August 15th, before any of the virus companies had a block/fix for it. I was just trying to get the word out to others to spare them the 2 days of frustration we went through tracking this down. Although I do not know exactly how we got the worm, I can only surmise that one of our customers opened an HMTL page containing a *.jpg file containing the worm which takes advantage of the Plug and Play functionality of Windows (see Symantec explanation). Last night, our local news in San Diego reported that the city's entire network was brought down by this worm as well as some local companies. They went on to say that the worm was extemely virulent and just viewing the HTML page was enough to trigger it...... Once infected, the worm was opening port scans throughout our network creating a data traffic storm, thus bringing our network to a crawl. Needless to say, we made certain all our servers were up to date with Microsoft patches. I hope this helps! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.