From: Sherry M. Rogers (smrogers@socrates.berkeley.edu)
Date: Thu Jul 19 2001 - 17:06:00 PDT
SECURITY ALERT
There is a very agressive internet worm speading on campus called the
"ida worm" or Code Red worm. It takes advantage of an IIS vulnerability,
information about it can be found at the urls listed below.
A "worm" spreads automatically, one host infecting a hundred others, each
infecting a hundred others, etc. This one reuses the same seed for
generating random addresses to attack so has had the effect of a Denial of
Service attack.
Beginning immediately, we need the campus to be prepared: it is having a
serious impact on our network, including CALREN2.
Prepare/defend your systems by:
Reviewing and being aware of the Microsoft Web Server vulnerabilities as
described on the following web sites:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS01-033.asp>
(this is the Microsoft security bulletin)
<http://www.dshield.org/>
(there is an explanation of the "worm" on this page)
<http://www.cert.org/advisories/CA-2001-13.html>
(this is the CERT advisory)
Make sure that any Microsoft Web Server has the latest patches installed
per the information in the URLs above.
We recommend shutting down any IIS webservers which are not essential -
the worm will deface them as well as infect your host and spread.
I have been infected by this worm what can I do?
------------------------------------------------
The first thing you must do is goto the Microsoft security site, as
referenced above, and install the .ida patch ASAP. The worm will remain in
memory until you reboot your server so make sure to reboot after
installing the .ida patch.
I think I am infected, how can I tell?
--------------------------------------
An infected system will show an increase in load (processor/network). It
will also show a number of external connections (or attempts) to port 80
of random IP addresses. You can see this by doing a "netstat -an" from a
MS-DOS prompt. Either way do not take any chances... if your system is
missing the .ida patch then install it ASAP and reboot.
-------------------------------------------------------------------------
Sherry M. Rogers University of California, Berkeley
System & Network Security phone (510)642-7157
-------------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Thu Jul 19 2001 - 17:07:25 PDT