[Pseudocyber]

We got hit with this tonight. http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Symptoms of infection were severe degredation in internet connection speed. Had difficulty looking at firewall logs because it was logging so much it was degrading the disk i/o writing so many drops to the log. Packet captures from the firewall showed 80% of traffic was ICMP requests.

This #@#@# worm is supposedly "helpful" but it brought down our internet access - which is where all our e-commerce flows through ... :fire:

 

[johnwill]

That one took a few days to get to you. How did it get past your firewall?

 

[Pseudocyber]

That one took a few days to get to you. How did it get past your firewall?

We have Ironmail filtering out the attachments, and the firewall was blocking it. Only thing I can think of is some @#[email protected]#$#%#$#% LUser opening an email attachment ... there were some old machines brought online recently that hadn't been patched, so it started thrashing the firewall with ICMP scans ... :upset:

We have a client we're supposed to load on all our machines which the help desk can see our software, patch levels, and push out new software and anti-virus updates ... some of the IT people thought they were above that and didn't load it ... and got the virus! The VP of IT was about to rip them a new one ... now they've put out an email that if the client isn't loaded, some VIP's will be "talking to you" ...

 

[johnwill]

I know my friend at Bristol-Myers Squibb says that folks bringing in their laptops and plugging them into the network was how they got the MSBLASTER worm in the first place.