[65222] in North American Network Operators' Group
Re: Santa Fe city government computers knocked out by worm
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Nov 17 10:32:03 2003
From: "Steven M. Bellovin" <smb@research.att.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sun, 16 Nov 2003 06:22:08 EST."
<Pine.GSO.4.44.0311160612490.5893-100000@clifden.donelan.com>
Date: Mon, 17 Nov 2003 10:26:18 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.GSO.4.44.0311160612490.5893-100000@clifden.donelan.com>, Sean
Donelan writes:
>
>The US is still losing relatively major city government computer networks
>due to the Nachi/Welchia worm.
>
>Sante Fe city government's entire computer network was knocked offline
>on Friday by the Nachi worm. City employees could not access e-mail or
>work with their computers all day Friday, and the Santa Fe Public Library
>was not able to access the Internet.
>
>Officials say the worm infected the system when an employee downloaded
>music on a city computer. The article says the worm was able to infect
>the city computer system by first disabling the system's virus detection
>system. Both statements would be notable because known versions of
>Nachi/Welchia don't spread that way.
>
>http://kobtv.com/index.cfm?viewer=storyviewer&id=6232&cat=HOME
>
>No explaination why Sante Fe officials had not patched the city's
>computers in the three months since Microsoft announced the vulnerability
>and released the software updates. Nor why Sante Fe didn't have up to
>date anti-virus programs running on its computers.
>
I draw a different conclusion from the article: the channel from the
techs who worked on it to the reporter was lossy... As you note, Nachi/
Welchia aren't spread by music downloads, nor do they disable AV
software. I suspect that a Trojan'ed file-sharing program is more
likely the culprit.
--Steve Bellovin, http://www.research.att.com/~smb