[714] in resnet
Re: Wanted: Information on Klez Infections
daemon@ATHENA.MIT.EDU (Tunis Cooper)
Tue Jan 29 11:49:51 2002
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <001a01c1a8e4$2df40060$8c1ee280@cc.binghamton.edu>
Date: Tue, 29 Jan 2002 11:44:09 -0500
Reply-To: tcooper@binghamton.edu
From: Tunis Cooper <tcooper@binghamton.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <5.1.0.14.0.20020125210007.02919ae0@post.queensu.ca>
Mike,
Sorry to here about your infection with Klez. I read up on this worm and
know that you must have your hands full. Here at Binghamton University we
are moving over to McAfee and I not seen any infections of Klez as of this
AM. I fear that we get this one, it can be devastating.
My game plan at this point is to pull servers off the network if Klez shows
up here. We went through a similar problem with the Explorer.zip worm a
while back and I hope that we learned from that experience.
Good luck to ya.
Tunis Cooper
Network Analyst
Binghamton University Computing Services
Binghamton, NY 13902-6000
tcooper@binghamton.edu
(607) 777-4233 (607) 777-4009 fax
-----Original Message-----
From: Mike Smith [mailto:smithm@POST.QUEENSU.CA]
Sent: Friday, January 25, 2002 9:46 PM
To: RESNET-L@listserv.nd.edu
Subject: Wanted: Information on Klez Infections
I'm looking to share information on Klez experiences. In short, Klez has
proven widespread and damaging at Queen's. Symantec is behaving as though
we are uniquely affected. That does not make sense to me but if it is true
I need to find out what we are doing wrong.
I'd really like two things from anybody who has the time to reply:
1. Where does Klez fit on a scale of 1 to 10 at your institution? 1 being
Definitely not a problem. 10 being Klez has been a nightmare.
2. What AV software do you run?
The answers for Queen's are 10 and Norton AntiVirus Corporate Edition 7.60.
At Queen's, Klez has proven much wider spread and more destructive than
predicted by our AV vendor, Symantec. Our environment includes perhaps
15,000 PCs, "unmanaged" in Symantec's words. We have a site license for
NAV CE and though there are no doubt many machines that are not protected I
would judge that 10,000 or more have NAV 7.51 or 7.60 installed. I would
not predict how many of those machines had the latest virus definitions but
the point is moot: NAV did not detect the infection until almost a week
after we first saw it appear.
I think a conservative estimate is that 100 machines have been wiped out by
Klez this week. Symantec and indeed other AV vendors don't seem to think
it is a big deal. We freely admit that we don't understand how it works
but cleaning it seems almost impossible.
Thanks for your attention. It has been a very long week.
Mike Smith
Information Technology Services
Queen's University
(613) 533-2024
smithm@post.queensu.ca
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________