Front page
Silflay Hraka?

Bigwig is a systems administrator at a public university
Hrairoo is the proprietor of a quality used bookstore
Kehaar is.
Woundwort is a professor of counseling at a private university

The Hraka RSS feed

bigwig AT

Friends of Hraka
Daily Pundit
cut on the bias
Meryl Yourish
This Blog Is Full Of Crap
Winds of Change
A Small Victory
Silent Running
Dr. Weevil
Little Green Footballs
Fragments from Floyd
The Feces Flinging Monkey
Dean's World
Little Tiny Lies
The Redsugar Muse
Natalie Solent
From the Mrs.
The Anti-Idiotarian Rottweiler
On the Third Hand
Public Nuisance
Not a Fish
Electric Venom
Skippy, The Bush Kangaroo
Common Sense and Wonder
Neither Here Nor There
The Greatest Jeneration
Ipse Dixit
Blog On the Run
Redwood Dragon
Greeblie Blog
Have A Cuppa Tea
A Dog's Life
Iberian Notes
Midwest Conservative Journal
A Voyage to Arcturus
Trojan Horseshoes
In Context
The People's Republic of Seabrook
Country Store
Blog Critics
Chicago Boyz
Hippy Hill News
Kyle Still Free Press
The Devil's Excrement
The Fat Guy
War Liberal
Assume the Position
Balloon Juice
Iron Pen In A Velvet Glove
Freedom Lives
Where Worlds Collide
Knot by Numbers
How Appealing
South Knox Bubba
Heretical Ideas
The Kitchen Cabinet
Bo Cowgill
Raving Atheist
The Short Strange Trip
Shark Blog
Ron Bailey's Weblog
Cornfield Commentary
Northwest Notes
The Blog from the Core
The Talking Dog
WTF Is It Now??
Blue Streak
Smarter Harper's Index
nikita demosthenes
Bloviating Inanities
Sneakeasy's Joint
Ravenwood's Universe
The Eleven Day Empire
World Wide Rant
All American
The Rant
The Johnny Bacardi Show
The Head Heeb
Viking Pundit
Oscar Jr. Was Here
Just Some Poor Schmuck
Katy & Bruce Loebrich
But How's The Coffee?
Roscoe Ellis
Sasha Castel
Susskins Central Dispatch
Josh Heit
Aaron's Rantblog
As I was saying...
Blog O' Dob
Dr. Frank's Blogs Of War
Betsy's Page
A Knob for Brightness
Fresh Bilge
The Politburo Diktat
Drumwaster's rants
Curt's Page
The Razor
An Unsealed Room
The Legal Bean
Helloooo chapter two!
As I Was Saying...
SkeptiLog AGOG!
Tong family blog
Vox Beth
I was thinking
Judicious Asininity
This Woman's Work
Fragrant Lotus
Single Southern Guy
Jay Solo's Verbosity
Snooze Button Dreams
You Big Mouth, You!
From the Inside looking Out
Night of the Lepus
No Watermelons Allowed
From The Inside Looking Out
Lies, Damn Lies, and Statistics
Suburban Blight
The SmarterCop
Dog of Flanders
From Behind the Wall of Sleep
Beaker's Corner
Bad State of Gruntledness
Who Tends The Fires
Granny Rant
Elegance Against Ignorance
Say What?
Blown Fuse
Wait 'til Next Year
The Pryhills
The Whomping Willow
The National Debate
The Skeptician
Zach Everson
Geekward Ho
Life in New Orleans
Rotten Miracles
The Biomes Blog
See What You Share
Blog d’Elisson
Your Philosophy Sucks
Watauga Rambler
Socialized Medicine
Verging on Pertinence
Read My Lips
The Flannel Avenger
Butch Howard's WebLog
Castle Argghhh!
Andrew Hofer
Moron Abroad
White Pebble
Darn Floor
Pajama Pundits
Goddess Training 101
A & W
Medical Madhouse
Slowly Going Sane
The Oubliette
American Future
Right Side Redux
See The Donkey
Newbie Trucker
The Right Scale
Running Scared
Ramblings Journal
Focus On Reality
Wyatt's Torch

October 29, 2003

New Virus

Windows users need to turn off Com+ right now. It's in the Control Panel under Administrative Tools/Services

Yes, that's all I know. I'll update as I find out more.

Update: The virus just got noticed on the UNC system. All we know is that it's using Com+ to spread. There's no official warning, but when the Head of the Control Center makes a point of going office to office telling people to turn off stuff, you turn stuff off.

It appears whatever it is started in Granville Towers and spread. It's attempting to get into the Carolina VPN at the moment. The possibility of such an event caused the the word "Armageddon" to be uttered for the first time. So far it has not succeeded in doing so, so the Final Trump has not yet been blown for the UNC network.

Caution: All of this info is very new. I'm obtaining it by walking around and getting people to speculate.

There's a possibility that just turning off Com+ does not work, which would be bad, because at that point DCOM itself would have to be disabled. Directions for doing so can be found here, but I'm not doing that, yet.

More Update: Starting to look like Welchia, or a variant thereof, which begs the question of how it got out in the first place, if it is indeed a known worm.

Final Update Bam! it started, and Bam! it vanished, which allowed us to come up with a theory or three, assuming that the jump in network activity was indeed due to the Welchia virus.

Theory #1
Granville's connectivity to the UNC system is provided by a private ISP via a Bellsouth fiber. One way ISPs fight viruses is by enabling filters on incoming and outgoing traffic. If a virus tries to spread via port 135, then the ISP will block all port 135 traffic at its border with a filter. Filters are like any other program, they can be turned on and off. Given the sudden spike in virus activity and its equally sudden disappearance, it's possible that a filter was turned off by the Granville ISP, allowing previously infected machines to start scanning the UNC system. Then the filter was turned back on, or unwedged itself, and voila! no more virus activity.

Now you might ask, why didn't UNC filter out port 135 at its border? We do, but Granville connects directly to our internal network.

However: We've since talked to the Granville ISP. They adamantly deny having any filters at all in place.


Theory #2
Last week was Carolina's fall break. It could be that a student took an unpatched laptop home, got infected, then didn't turn it back on until today. Once it came up, it quickly infected all the other vulnerable machines in its IP domain. Once we blocked the infected machines, the traffic came to an end.

However: We'd expect to have seen this pattern every day since students returned from fall break, from other dorms as well as Granville. We've seen no such thing.

Theory #3
It's a timed virus, set to go on and off at certain intervals.

However: There is no however.

Post Final Update: We've identified the virus. It's a variant of Gaobot

Posted by Bigwig at October 29, 2003 04:26 PM | TrackBack
First time visitor to House Hraka? Wondering if everything we produce could possibly be as brilliant/stupid/evil/pedantic/insipid/inspired as the post you just read? Check out the Hraka Essentials, the (mostly) reader-selected guide to Hraka's best posts, and decide for yourself.

Alternatively, you could use the DCOMbobulator...

We got hit by Nachi a few weeks ago and sre still cleaning it out of the corners. At the time, we went through and applied the 823980 patch. About 2 weeks later we made another sweep to get the 824146 patch applied, and to date haven't had any new virus activity of note. Here's MS's page on their tool to detect unpatched machines:;en-us;827363

Posted by: Kevin at October 29, 2003 04:55 PM

Incidentally, running Windows Update will (of course) pull down both those patches if you don't have them already. Of course, if you have a Nachi variant, you aren't going to be getting anything across your network for all the pinging and infecting that's going on. Bigwig, I know you already know this stuff- this is more for your other readers who might not. If you run Windows, you really ought to run Windows Update on a weekly basis IMHO, even if you only pull down the critical updates.

Posted by: Kevin at October 29, 2003 05:00 PM

Deep sigh. You mean people STILL haven't patched their MS software? What, these people think "this doesn't apply to me because it's too inconvenient"? Such people deserve to be massively inconvenienced and often.

Posted by: Rod at October 29, 2003 05:11 PM

So does this mean Com should still be turned off?

Posted by: Mrs. du Toit at October 30, 2003 12:19 AM

Well, my work machine is still off, but it's closer to the infection. I didn't turn it off on my home machines, though I did update the virus files on each.

As well, there has not been another reported flare up on the UNC campus since this afternoon.

So, you're probably ok leaving it on.

Posted by: bigwig at October 30, 2003 12:51 AM

Mrs. du Toit,

If you are running 95, 98, or ME, you are not vulnerable to this variant of virus. If you have Windows 2000 or XP, then go up to Tools in Internet Explorer, click on Windows Update and install all the critical updates (it will walk you through doing so). At that point you will not be vulnerable to the present DCOM exploits, although you should also run updated virus software. The typical home user who runs Windows Update, updates virus protection on a regular basis, and doesn't open any strange attachments is usually going to be in pretty good shape.

Posted by: Kevin at October 30, 2003 06:04 AM
Post a comment Note: Comments with more than two dashes per line will be blocked as spam.

Remember personal info?