Important Virus Issue Updates:

August 2003:

SoBig.F is a virus transmitted via the email system, and was set to download instructions from 20 different servers on Friday Aug 22, between 3:00 and 6:00 pm EST, however, the servers which were infected with the code were taken out of action by Friday evening.   This virus expires on September, 10, 2003, and we may see a newer version of it shortly after that.

The infected emails may contain the subject line: "Re: That movie",
"Re: Wicked screensaver", "Re: Your application",
"Re: Approved", "Re: Re: My details", "Re: Details", "Your details",
"Thank you!", or "Re: Thank you!"

You can find a scanner and detailed information at Bit Defender.

more about SoBig.F...

MSBlast(er). Blaster will attack computers using the following operating systems: NT 4.0, Windows 2000, XP, and Server 2003.  This is a virus that is transmitted via an Internet connection rather than by email.   Known as MSBlast, msblast 32, Lovesan, W32.Blaster or Blaster, this virus causes an infected computer to continually reboot.  A version posing as a 'anti'-Blaster worm called Welchia now being found.

more about MS Blast...

If you have a major problem with your computer, viruses are one of the first suspects a technician will investigate.  As of late -2002 a virus known as "Klez" caused more wide-spread damage than any other virus to date.

Viruses come in many shapes and sizes.  The most common way of transmitting a virus these days is through e-mail.  Without going into detail, there are boot sector viruses (they load as soon as the PC is turned on), Trojans (hide them selves inside other programs), poly-morphic (they recreate themselves with new names to avoid detection from anti-virus software), and your simple virus that activates at a given time, or when it is run.

Many viruses (Klez, I Love You, Bug Bear, etc.) not only infect your computer, but they copy your address book (all the people you communicate with via email), and send a copy of the virus to them.

There are web-sites that can create virus like activity on your PC.  Some of the ways that this is done is to have certain "scripts" embedded into the web page so that your computer executes a set of commands you didn't want or expect (or even notice that the page was doing it).  They can download "cookies" (small text files that collect and distribute information) to record what sites you visit, and collect information you may not want to disclose.  They can also upload files and data to your computer.

Protect yourself against this type of attack by putting an anti-virus program in place.  There are many available, and most major companies do allow you to download a trial version that you can test out for free (usually 30 - 90 days.)

The single most important thing to remember is: UPDATE You should update your anti-virus program regularly (at least once a month if not once a week).

A note about on-line scans:

On-line scans will not protect your computer in the future, it only scans your computer at that moment.  It is also a known item that many viruses can and will find ways to avoid these 'online scans'.

SoBig.F
August 23, 2003: Officials warn that when the current version of SoBig.F expires on September 10th, the public should be prepared to expect a new version and attack.  The new version (Probably SoBig.G) is expected at or around September 11th, 2003.

August 18, 2003: SoBig.F is actually an evolution of an older worm (SoBig) that has been rewriten over the years.  This is a very rapidly spreading virus /worm that searces for email address everywhere, and mails out copies of the virus to every email it can find.  Often it will mask the email with subjects such as: the subject: "Re: That movie", "Re: Wicked screensaver", "Re: Your application", "Re: Approved", "Re: Re: My details", "Re: Details", "Your details", "Thank you!", or "Re: Thank you!"

The worm spread very rapidly, and was supposed to contact 20 other 'servers' on Friday evening Aug. 22 between 3 and 6pm EDT. (as well as other dates and times), to get updated instructions and codes.  The response to the worm prior to the 'release' or 'attack' date allowed officials to take down the unsuspecting machines that would have updated the SoBig worm.  At the time, it appears that the only 'attack' was to be a sudden flood of "porn" site information propagating the web.

w32.Blaster:
Microsoft has released info and a patch for the Blaster, and you can find a scanner for the blaster virus here: Norton site.  A mutated version of this virus that pretends to be a "Blaster" cleaner is now in the wild, and known as: Welchia

August 17, 2003: Well, after a rather curious weekend, (and a few very busy days for the webmaster) - the 'attack' on Microsoft was averted.  The bottom line was that on Friday the 15th, Microsoft simply 'un-plugged'  the computer that the MSBlast worm was supposed to attack.  I've seen estimates that say the number of infected computers is anywhere from 50 thousand, to 5 Million.  The solutions to the MS Blaster worm however are now available from most anti-virus companies, and Microsoft has made the patch and information available at Tech Bulliten MS03-026.

August 12, 2003:  A new virus first surfaced on Monday.  The new worm, being refered to as the "Microsoft Blaster virus", quickly infected a large number of computers.
Details:
Blaster will attack computers using the following operating systems: NT 4.0, Windows 2000, XP (both home and professional versions), and Server 2003.  This is a virus that is transmitted via an Internet connection rather than by email.   Known as MSBlast, msblast 32, Lovesan, W32 Blaster or Blaster, this virus causes an infected computer to continually reboot.  The virus works with the DCOM RPC (Remote Proceedure Call) service of a computer, and is scheduled to attack the the windowsupdate.com site belonging to Microsoft on Saturday August 16. 

The Blaster worm and RPC protocol will trigger a tftp.exe file (Trivial File Transfer Protocol) which is often used for minor information transfer rather than ftp.  The Blaster worm, and a couple mutant variations may be installed on a computer under the names: "msblast.exe", "teekids.exe", or "penis32.exe".  

To delete these files, you must first stop the running process by using the ctrl + alt + del to access the task manager.  Then delete the files from your computer.  Update your system with the Microsoft patch.

Ports that the Blaster worm uses are:
TCP 135, TCP Port 444, UDP Port 69 (tftp - see above), (and, possibly, TCP ports: 135-139, 445 and 593)

patch for the Blaster | Norton site.

August 14, 2003: A major power outage in North-East US, and parts of Canada at 4:00 pm EDT, effected most of the north-eastern coast of the United States including major cities such as New York, Cleveland, Toledo, Detroit, and parts of Canada. The impact on the Internet, was not nearly as dramatic as the UUNet/Worldcom backbone problem, due to almost all data centers having their own backup power systems. However, user traffic was down due to the lack of power.

Previous Major Events:

February 2003: The Code Red virus has once again resurfaced in an effort to Slow the Internet with DoS. the WWW was prepared and very little damage was actually done.

February 19, 2003: Internet Hacker News: Over 8 million credit card numbers were stolen through the Internet. FBI and other federal authorities searching for culprit.

January 24, 2003: SQL slammer worm disabled many ATM machines and slowed the Internet greatly. Effects lasted less than half a day. While this was most likely not an 'attack', but rather a test, it did show MANY vulnerabilities that many of the main Internet components had.

January 2003: the Internet was once again subjected to an attack. Similar to the Code Red DoS (Denial of Services) attack (Feb. 2001), this slowed many Internet connections to a crawl on a Saturday morning. The good news was that everyone recovered very quickly from this, and it was more of an annoyance than anything else.

October 22, 2002: At 1:45pm for about one hour an extremely large distributed denial-of-server (DDoS) attack took place. The target of the attack were the 13 DNS root servers, which are responsible forhelping to resolving domain names to their respective IP's. Even though 9 of the 13 servers were disabled in the attack, the remaining were able to support the additional load without any widespead problems. Prior to this attack, the largest outage for the root registry was 7 machines in July of 1997, due to a technical problem. (story from Internet Traffic Report)

November 2001: A virus known as Klez becomes one of the most prolific viruses to date. Many copies and versions of this virus still infect many computers 2 years later.  This is one that does not want to die, as newer versions (such as the Nimda worm) are always finding their way into the wild.

October 3, 2002: For several hours UUNet/Worldcom suffered severe routing issues, which impacted most of their network. The failure caused losses of routes, BGP failures, routing loops, and over-utilization on some circuits during this time. UUNet/Worldcom reconverged their router tables, but still experienced increased latency of several hours thereafter. (story from Internet Traffic Report)

July 19, 2001: Code Red worm starts its' attack.  Using code from the code red virus that was distributed on July 12, the new code re-writes, and on August 4th begins attacking IIS (Microsoft web servers) machines.  Using a 'buffer overflow' vulnerability in the IIS servers, the Code Red virus crippled the Internet for hours.