trees
02-01-2006, 09:41 PM
This has been found on a number of University machines. Well worth your time to make sure you're clean. Unless, of course, you want a nice clean, empty hard drive. . . .
Begin forwarded message:
From: Abraham Kuo - SIRT <akuo@ms.Telcom.Arizona.EDU>
Date: February 1, 2006 4:43:12 PM MST
To: NETDISCUSS@LISTSERV.ARIZONA.EDU
Subject: [NETDISCUSS] Blackworm (nyxem, kama sutra, etc)
Reply-To: UA Network Managers Discussion <NETDISCUSS@LISTSERV.ARIZONA.EDU>
Hi, all. As has been widely publicized, machines infected with Blackworm are due to have the payload activate on Friday (2/3). The payload, in short, overwrites a large number of user files, such as .doc, .xls, .pdf, etc. If you're not already familiar with what Blackworm does, there's a good summary here:
http://isc.sans.org/blackworm
If you haven't already done so, it would be a *very* good idea to update your antiviruses and do a full system scan today or tomorrow (before 2/3), and do an additional backup. This is even more critical if a machine has recently been blocked by SIRT, and was cleaned up but not backed up and reformatted (or not cleaned up and kept offline, since the payload that deletes files doesn't necessarily need network connectivity).
Keep in mind that another symptom of Blackworm (and many other worms) is that it interferes with AV operation, so if you're having difficulty updating your AV or doing the system scan, it would be worthwhile to investigate further, as always.
If you have any questions or concerns, please feel free to send us an email (sirt@arizona.edu), or give us a call (626 0100).
Abraham Kuo
CCIT Security Incident Response Team
(520) 626 0100 SIRT
(520) 626 9736 Desk
Begin forwarded message:
From: Abraham Kuo - SIRT <akuo@ms.Telcom.Arizona.EDU>
Date: February 1, 2006 4:43:12 PM MST
To: NETDISCUSS@LISTSERV.ARIZONA.EDU
Subject: [NETDISCUSS] Blackworm (nyxem, kama sutra, etc)
Reply-To: UA Network Managers Discussion <NETDISCUSS@LISTSERV.ARIZONA.EDU>
Hi, all. As has been widely publicized, machines infected with Blackworm are due to have the payload activate on Friday (2/3). The payload, in short, overwrites a large number of user files, such as .doc, .xls, .pdf, etc. If you're not already familiar with what Blackworm does, there's a good summary here:
http://isc.sans.org/blackworm
If you haven't already done so, it would be a *very* good idea to update your antiviruses and do a full system scan today or tomorrow (before 2/3), and do an additional backup. This is even more critical if a machine has recently been blocked by SIRT, and was cleaned up but not backed up and reformatted (or not cleaned up and kept offline, since the payload that deletes files doesn't necessarily need network connectivity).
Keep in mind that another symptom of Blackworm (and many other worms) is that it interferes with AV operation, so if you're having difficulty updating your AV or doing the system scan, it would be worthwhile to investigate further, as always.
If you have any questions or concerns, please feel free to send us an email (sirt@arizona.edu), or give us a call (626 0100).
Abraham Kuo
CCIT Security Incident Response Team
(520) 626 0100 SIRT
(520) 626 9736 Desk