2004/07/26 Sasser Worm Outbreak
Rhodes is currently suffering the effects of a Sasser outbreak. It appears as if the outbreak originated in Cullen Bowles house, presumably brought onto the network by a returning student who didn't heed the calls in May to ensure that all machines were patched against this vulnerability.

This virus connects to port TCP/445 of vulnerable computers and, amongst other things, causes an error message refering to the LSASS process to appear and then shuts the computer down. Both Windows XP and Windows 2000 are affected.

Patches and removal tools for this virus are available on the software and studsoft pages. Users also need to ensure that their machines are running the latest service pack (sp4 for Windows 2000, sp1 for XP; also on the software pages). You're also advised to ensure that your computer connects to the SUS server. Users who are experiencing difficulty obtaining the patches can collect copies from Software Support.

Depending on the total number of machines that become infected by this virus (currently there are about forty on main campus and an undetermined number on the residence network), users may experience degraded network performance or intermittent connectivity. This hasn't happened yet but is a possible side effect of this type of infection.

Residence network users (including wardens who connect via the ResNet infrastructure) should be aware that steps have been taken to contain outbreaks to individual residences. Connections to TCP/445 and UDP/445 have been blocked completely between each of the residence subnets as well as between ResNet and main campus. A side effect of this action is that ResNet users won't be able to connect to Active Directory services outside of their subnet.
It appears that there are also copies of the Korgo worm floating around campus. This virus works in exactly the same way as Sasser (it exploits the LSASS vulnerability that was detected by Microsoft in April this year).

According to Microsoft's advisory both Windows XP and 2000 are vulnerable even after installing the latest service packs. You need to install the appropriate patch for your machine Users can check whether this patch is installed by looking in the Add & Remove Programs dialogue (Start/Control Panel/Add & Remove Programs) and looking for an entry mentioning Windows Hotfix KB835732. If you don't have the KB835732 hot fix, you're still vulnerable.