Security

How TechRepublic members stopped MSBlast and SoBig.F viruses

Learn how TechRepubulic members stopped the SoBig.F and MSBlast viruses


The past few months have served as a not-so-gentle reminder that the threat from viruses and worms is far from over. It had been nearly eight months since a significant outbreak had made headlines, but within weeks, IT pros—and the rest of the online world—were focused on several high-profile bugs: MSBlast (a.k.a. W32/Blaster and W32.Lovsan) and SoBig.F.

With so much attention on viruses and security, we wanted to know how TechRepublic members fared. Here’s a rundown of responses to our query on the subject.

Vacation
LiaMarrazzo, a systems admin and security officer, told us that four of her company’s desktops running Windows 2000 Professional had to be cleaned of a variant of MSBlast because the employees were on vacation when the outbreak started and their machines were not patched. She said the infections were caught by Symantec AntiVirus Corporate Edition and picked up by the IT department’s Symantec System Center Console.

At the River Palms Resort & Casino in Laughlin, NV, Ed Halley was a little short-staffed when—with four vacant positions and two IT workers on leave—his network was hit with the MSBlast worm. Cleanup involved updating each machine from the network.

Patches worked
The majority of TechRepublic members who e-mailed us about their experiences told us that they had prepared for such a situation by applying patches. Mark Davidson, who works at a major shipping port on the U.S. West Coast, said his business was spared from MSBlast after he installed the patch on all servers by hand and used a login script to roll out the update on the company’s Windows 2000 and Windows XP workstations. He credits his use of McAfee and daily updates on all his workstations and servers with keeping the business from being hit by SoBig.F. Although several laptop users at Davidson’s business had infected machines, they were cleaned before they were put back on the network.

Another TechRepublic member, NoemiTaylor, an IT manager with Control Management in Columbia, SC, avoided problems with the Blaster worm—and traffic on Microsoft’s update service—by using Symantec’s Intelligent Updater. When she received word of the MSBlast worm, she was receiving “server busy” messages while trying to use the Microsoft Windows Update site. She went to the site’s download center, retrieved the patch, and saved it on the server before deploying it throughout the company. “So in all, keep your systems updated, keep yourself informed, and let your peers know this by relaying important information to them, whether action needs to be taken or not,” Taylor said.

Home users
Several members said home users who neglected to update virus software were more likely to be affected. Diana Bushong, systems administrator for Texas A&M University’s department of communication, said that while none of her department’s computers or servers were hit by either threat, roughly a third of faculty and staff home computers were affected.

“We spent quite a number of person hours making sure our people had the updates on CDs so they could clean off the virus, update their computers for the RPC vulnerability, and then get online so they could do the rest of the updates,” she said.

Christine Mahboob, a network engineer for Hylant Group in Toledo, Ohio, had a similar experience: Only one notebook computer connected to the network was infected with Welchia (a variant of MSBlast), while many users' home computers were. To assist those users, she provided a floppy disk with a patch for the home users' respective systems and instructions on how to get rid of the worm.

In some cases, home users will try to find ways around installing patches and updating their antivirus software, according to member Ian Horton, who characterized them as “not malicious but IT fiddlers who like to find ways around most easy fixes such as setting a high security level for Internet Explorer or setting Outlook to deny access to potentially malicious files. Stopping someone [from] doing what they should not on a laptop in the quiet of their home is a nightmare.”

In praise of firewalls
In addition to antivirus software, others swore by their firewalls. Michael R.H. Eckstein, a network administrator with Virginia Sealing Products, said he had success with Symantec and BlackIce products.

Another member, Michael Nedbal, operations manager for Makai Ocean Engineering, cited a combination of protections for keeping his network clean, including GFI MailSecurity on an e-mail gateway outside of its LAN, Norton Antivirus Corporate Edition on all workstations, and Norton Antivirus for Microsoft Exchange Server on an Exchange 2000 Server. Makai also runs Microsoft ISA Server to act as the SMTP gateway and firewall.

“A combination of an effective firewall and an aggressive antivirus policy helped keep our infections to a minimum,” said John Bodden, a database administrator with Charleston Southern University. Of the roughly 500 users on campus, about a dozen were affected by MSBlast and no one was infected by SoBig.F.

What security threat?
A few of those who responded reminded us that since MSBlast and SoBig.F targeted Microsoft systems, those who run other operating systems experienced no trouble. “Problems with MSBlast worm or the Sobig.F virus? None,” wrote William Lee Collar, director of information services for Jones & Henry Engineers in Toledo, Ohio. “We run Novell NetWare and GroupWise for e-mail. If you're not running Microsoft products everywhere, it's pretty much a non-event.”

Choosing not to upgrade his client machines has kept Dennis Miller's organization from getting hit by threats that target Windows 2000 and Windows XP. Miller, who works at a Novell shop, is still running NT 4.0, Windows 95, and Windows 98. At Los Angeles-based Metal Surfaces, Inc., Raul Trujillo, a junior systems admin, says his employer takes a similar approach: “Many of these viruses are made to work with Outlook and/or Outlook Express, and we use Netscape 7.1 (browser and mail client) for that very reason.”

Editor's Picks