MAJOR INTERNET ATTACK CURRENTLY UNDERWAY

Outspot | 9/2/2003 | Outspot

[OutSpot]

Yesterday and today the internet connections at our company have been non-existant. (Our business is dependant on them)

The following mail below has been sent to our customers:

********************

This problem is affecting a very large number of Internet Service Providers (ISPs) worldwide and it appears to be based upon an overloaded worldwide network as a result of the recent variations of several computer viruses.

Computer networking engineers from many ISPs in many countries are focusing on the short-term situation as well as long-term solutions.

****************

[OutSpot]

Anybody else have problems?

Our ISP is Qwest

[savedbygrace]

No problems here. Yahoo/SWBC (SW Bell)

[prarie earth]

I was having big time problems starting yesterday morning.

[Lazamataz]

The internet is considerably faster for me.

Which means all you TRAFFIC HOGS have been SIDELINED!!! HA! HA! HA! HA!

[Incorrigible]

My firewalls are picking up lots of probes on Port 1027. This is for ICQ.

[dansangel]

No problems with Earthlink.

[Dave S]

No problem here. SWBell

[Tamzee]

Same here, big problems... but mine are on and off.

Using PenTeleData

[thoughtomator]

Try some coffee maybe?

[Snowy]

Our ISP is Qwest

Qwest is the problem. www.internetpulse.com

[Alas Babylon!]

Check out how the Internet is doing at the Internet Health Report

For what it's worth, as of 12:00 Noon, CDT, it all looks pretty good.

[BlessedBeGod]

Internet Traffic Report

[ninenot]

Mayberry USA is dead to emails, but OK w/IE, so far.

[snopercod]

http://www.internettrafficreport.com/main.htm

[Samizdat]

I Just heard on the radio that all Qwest cell phones calls are being rerouted to 911 and that Qwest users shouldn't use their cell phones until further notice.

[CFW]

Internet Health Report.

[Benrand]

I do believe that the major problems caused by blaster/welchia are for the most part over, although some measures needed to be taken that could slow some parts of the net down.

We were slammed by that bug.

[oh8eleven]

Don't see any problems here.

[thoughtomator]

According to my firewall log, the major Internet problem right now is still the Sobig.F ICMP packet storm - ICMP traffic has actually increased since I set up the filter to track it. If there are enough infected hosts on your network, they could potentially be causing a DoS condition for your ISP.

[snopercod]

It's Mars...

[OutSpot]

I just found the following new worm information on symantec.com. Note on the bottom how the worm spreads via file sharing programs (Peer to Peer)

**********************************

W32.Pandem.C.Worm
Discovered on: September 01, 2003
Last Updated on: September 02, 2003 01:06:54 AM

W32.Pandem.C.Worm is a worm that attempts to spread by emailing itself to contacts in the Microsoft Outlook Address Book, and through file-sharing applications and ICQ.

The worm is written in C++ and is packed with PEBundle.

Variants: W32.Pandem.Worm, W32.Pandem.B.Worm
Type: Worm
Infection Length: 112,640 bytes


Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX


Virus Definitions (Intelligent Updater) *
September 02, 2003


Virus Definitions (LiveUpdate™) **
September 03, 2003

*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Threat Metrics


Wild:
Low
Damage:
Low
Distribution:
Low

When W32.Pandem.C.Worm is executed, it performs the following actions:

Drops the file, %System%\Zlib.dll, which is a legitimate compression utility.

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Copy itself as %Windir%\System32\videomgr.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

Adds the value:

"Video Manager"="%Windir%\System32\\videomgr.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Attempts to contact www.google.com to check for Internet connectivity.

If the check succeeds, the worm will attempt to mail itself with the message:

From: support@microsoft.com
Subject: Microsoft Security Bulletin
Message: "Important Security and Privacy Information"

Your privacy and security may be compromised

Some web sites use unauthorized browser windows, Javascript, cookies, even malicious file downloads - without your permission.
Through these vulnerabilities, your computer may be exposed to harmful internet threats, and your web browsing can be tracked by unauthorized third parties.

Maximum Severity Rating: Critical

Recommendation: Customers using Microsoft Windows 95,98,2K,NT,ME,XP should apply the attached update.

Attachment: update.zip or update.exe

Attempts to notify the author with an email containing the following message:

Subject: Another Victim Of Social Engineering

Attempts to propagate through file-sharing networks by copying itself as:
Cracks Collections.exe
ICQ Platinum v2.exe
Cracker Game.exe
Matrix.scr
ICQ Hack.exe
Windows NT_2000_XP Nuker.exe
Connection Booster.exe
Serials Collections.exe
Hotmail Hack.exe
Norton keygen-All vers.exe
Hacker.exe
South Park.scr
Cracks Collections.exe
Popup Blocker.exe
Trojan Remover.exe
ICQ Platinum v2.exe
Cracker Game.exe
Matrix.scr

to the folders:

c:\program files\gnucleus\downloads\incoming\
c:\program files\gnucleus\downloads\
c:\program files\KMD\my shared folder\
c:\program files\BearShare\Shared\
c:\program files\KaZaa Lite\My Shared Folder\
c:\program files\KaZaa\My Shared Folder\
c:\program files\Morpheus\my shared folder\
c:\program files\eDonkey2000\incoming\
c:\program files\direct connect\received files\
c:\program files\grokster\my grokster\
c:\program files\limeWire\shared\
c:\program files\icq\shared files\

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as W32.Pandem.C.Worm.
Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Pandem.C.Worm, click Delete.

4. Deleting the value from the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"Video Manager"="%Windir%\System32\\videomgr.exe"

Exit the Registry Editor.

[Snowy]

That worm is only rated a '1' on Symantec's site. As a sysadmin, I don't begin to get nervous until they hit a '3'.

[toupsie]

Check out to see if you are getting nailed on Port 135. LoveSan/Blaster and Nachi/Welchi have been pounding that port hard looking for the RPC vulnerability. An easy way to detect this is to install an open source package called "portsentry" which can be found at SourceForge. There is a java port of it if you do not have a Linux/BSD/Mac OS X system to install it on. Then check out the system messages to see which IPs are bombing you with port 135 requests. Nachi also blasts out ICMP packets to the Internet which can overwhelm some firewalls by overloading the NAT buffers.

This is the day when a lot of college students are returning to school with computers that haven't been patched and they have nice fat pipes on campus. The combo of these two could be a cause.

[Prof Engineer]

It's Mars...

But, what did GWB know, and when did he know it?

[Tamzee]

HEAVY pounding on port 135 lately...

http://www.dshield.org/

[FormerlyAnotherLurker]

Oh my goodness! How am I going to sleep tonight?

FROM your post;

"Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy "

Don't open the d_mn attachment.

[OutSpot]

Thanks for the info I will forward this to the systems administrator. You gotta love Free Republic.

[.cnI redruM]

The worms crawl in,
the worms crawl out.
They swallow your guts,
and spit them out.

[Sloth]

According to my firewall log, the major Internet problem right now is still the Sobig.F ICMP packet storm - ICMP traffic has actually increased since I set up the filter to track it.

Lately my ZoneAlarm has been denying frequent 'ICMP' connections from my ISP's IP number... Is that something I should be worried about?

[Dog Gone]

I couldn't get pages to open for about 45 minutes this morning. Right now, though, response time seems normal.

[thoughtomator]

Nope, it's just the packet storm. You should only be worried if they're getting through.

[Sloth]

OK, thanks.

[Itzlzha]

Look at where these files get located...

c:\program files\gnucleus\downloads\incoming\
c:\program files\gnucleus\downloads\
c:\program files\KMD\my shared folder\
c:\program files\BearShare\Shared\
c:\program files\KaZaa Lite\My Shared Folder\
c:\program files\KaZaa\My Shared Folder\
c:\program files\Morpheus\my shared folder\
c:\program files\eDonkey2000\incoming\
c:\program files\direct connect\received files\
c:\program files\grokster\my grokster\
c:\program files\limeWire\shared\ c:\program files\icq\shared files\

I know that these file-share sites are popular, and therefore convenient for virus propogation, but am I the only one who wonders if this isn't related to the whole RIAA crackdown on music file sharing?

And didn't the RIAA/Gubmint talk about allowing a virus to get into the computers of those who USE these file sharing sites?

Hmmm.....

[OutSpot]

Very good point!

That was my first thought also when I saw the list.

Things that make you go Hmmmmm

[OutSpot]

"I Just heard on the radio that all Qwest cell phones calls are being rerouted to 911 and that Qwest users shouldn't use their cell phones until further notice."

Do you remember what radio station mentioned this?
What cities 911 service is affected?
What state are you in?

If this is true, this is major.

[dead]

I am currently unable to post anything on Free Republic.

[Marie Antoinette]

I just got a notice from my ISP that I'm over quota on my email. WTH? I don't leave my messages on the server, but I went to check just in case (I have some kids who click some unlikely combos), there was nothing waiting online. I have no size restrictions, I DL all messages. However, I do not have my attachments enabled. I don't see how this would affect anything.

So are they perhaps getting dumped on by virii aimed at my address??

This is the message I received:
***This message is an automatic warning that you need to reduce disk usage
you should read and delete messages from your inbox or other folders.
If your mail client is set to ignore messages over a certain size, or leave messages on the server
then changing that setting might be in order.***


I emailed them, but no response yet.

[thoughtomator]

You've got to clean out all the junk spam from your email on your ISP's server. Go through old sent items and trash and get rid of what you don't need to keep on the server, download locally anything you want to save.

[Vigilantcitizen]

"I am currently unable to post anything on Free Republic."

Me either. Maybe we're not logged in.

[rwfromkansas]

The dorm internet was down here at my college (likely started by the Blaster worm, which cripples networks when it gets in). It also was very slow. It still is slow, but improving, so I am hoping things get back online.

Hallelujah....I can get on FR again! I have only been able to get on it in the student govt. office for short periods of time until now.

[mhking]

BellSouth was fine this morning.

[BlessedBeGod]

Can anyone explain this to me? I've never seen this before.

In Zone Alarm, it's showing medium alerts, the program being either Internet Explorer or Opera, the source IP is one I've never heard of before, the destination IP me, the direction "routed" instead of incoming or outgoing, and the action taken was blocked.

I've never seen the program as my browser before (only Real Player or Windows Media Player, etc.), and I've never seen the direction as "routed." Since I've been having problems the last hour, is there something going on here? I finally had to unplug my cable modem to reconnect to the internet.

Thanks ahead of time.

[MarkL]

We're not having any problems, and we really don't care if this high speed links go down, since we've got a backup plan... We've implemented a backup solution using RFC 1149. This ensures that we've always got a way to communicate over the Internet, no matter how many routers are crashed... Of course, there are some disadvanteges to this method, and it isn't really very good for "real time" applications or graphics...

Mark

[Ouachita]

According to my firewall log, the major Internet problem right now is still the Sobig.F ICMP packet storm

I use the free version of Zone Alarm with my cable connection. It's logged almost 20,000 ICMP hits since 8-19-03. They're mostly from an ISP in Canada.

[SGCOS]

The Internet gets cleaned and purged on a quarterly basis, and for anybody to blame a virus is a simple case of ignorance.

[Marie Antoinette]

I *did* have 6 (yes, SIX) old sent items that I dumped. They've been there a while, weird that I got the message today. I was nowhere near the storage limit!

Thanks, hopefully that will take care of it.

[thoughtomator]

It only takes one sent item with a large attachment to pack a mailbox. Hopefully that was the problem. Keep me posted.

[snopercod]

I've been noticing that FR pages seem slow to load for over a week now. I thought it was just my brain...

[WVNan]

Same here cod. My puter is extremely sloooowww, and I'm on cable.