Re: GAOBOT Worm reinfecting computers

From: Lorrie (amersole_at_evms.edu)
Date: 06/16/04 

Date: 16 Jun 2004 11:08:59 -0700

"John McGaw" <nowhere@inparticu.lar> wrote in message news:<#Pe#92tUEHA.3540@TK2MSFTNGP11.phx.gbl>...
> "Lorrie" <amersole@evms.edu> wrote in message
> news:7fa1f531.0406150447.75f7f3ca@posting.google.com...
> > The GAOBOT worm which has been infecting and reinfecting computers.
> > We have not been successful in cleaning numerous computers. We start
> > the systems in safe mode make sure that the admin account has a secure
> > password update all critical updates on system run both of the
> > fxgaobot tools we run the latest version of the stinger program make
> > sure that our antivirus program is up to date on definitions and run a
> > full scan of the computer but the worm seems to make its way back into
> > the computer!!! HELP
> >
> > Lorrie Amerson
> > Eastern Virginia Medical School
> > LAN Administrator
> > amersole@evms.edu
> > fax: 757-446-5702
>
> Some more information would be useful. You say that "but the worm seems to
> make its way back into the computer" but just as important might be WHEN the
> seeming reinfection occurs. At reboot? Soon after reboot? At some random
> time days afterward? Also, what operating system(s) are you running on the
> machines? Firewall in place? Networkwide internet firewall or individual
> firewalls on each computer? Assuming that the machines involved are
> networked, has every machine on the network been checked including laptops
> that come and go and home machines that might be accessing your network
> remotely been thoroughly checked?

The systems show up the next day. We are running windows 2000 and
windows xp workstations and we have windows 2000 windows 2003 servers
running active direcotry. We do have a network wide firewall no
individual firewalls. We have checked all computers on campus. we
have also disabled ports which our students use for their laptops
which has taken them out of the loop. They have been requested to
bring laptops in to be scanned and tested.
We are disabling windows messenger on systems also. Thanks for any
help

Relevant Pages

  • Re: Users, Groups & Built-in Security Principles
    ... > Help Services Group ... > NETWORK SERVICE ... Windows XP is a multi-user OS, even when used by one person only, the ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot access my network
    ... My Windows Live touble shooter ... firewall issue' (I've turned OFF my windows firewall and do not believe ... XX (home network name) is not accessible. ... Create identical user accounts and passwords on all machines. ...
    (microsoft.public.windowsxp.network_web)
  • wired-wireless-internet connection interference
    ... My Windows Live touble shooter ... firewall issue' (I've turned OFF my windows firewall and do not believe ... XX (home network name) is not accessible. ... Create identical user accounts and passwords on all machines. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Still cant connect to RWW or OWA remotely
    ... another program or service is running that might use the network address ... This sounds like a Windows Firewall problem. ... match the broadband connection, the two NIC firewall, the remote ...
    (microsoft.public.windows.server.sbs)
  • Re: XP rebooting
    ... Problem with both of these fixes obviously - I CAN'T GET INTO WINDOWS. ... > and your computer has been infected by the Sasser worm, ... disconnect from the Internet: ... > Step 5: Enable a Firewall ...
    (microsoft.public.security.virus)