Facing Two Rapidly Spreading Internet Worms

The Internet is currently facing a growing number of computer infections due to two rapidly spreading worms. The "Conficker" and "Downadup" worms have infected an estimated 1.1 million PCs in a 24-hour period, bringing the total number of infected computers to 3.5 million [1]. Via a single USB stick, these worms were also responsible for the infection of about 40 laptops at the last EGEE conference in Istanbul. In order to reduce the impact of these worms on CERN Windows computers, the Computer Security Team has suggested several preventive measures described here.

Disabling the Windows AutoRun and AutoPlay Features

The Computer Security Team and the IT/IS group have decided to disable the "AutoRun" and "AutoPlay" functionality on all centrally-managed Windows computers at CERN. When inserting CDs, DVDs or USB sticks into a PC, "AutoRun" and "AutoPlay" are responsible for automatically playing music or films stored on these media, or for automatically executing programs (the latter feature was responsible for the EGEE infections). Disabling this functionality will be enforced automatically without any action required by users. It will take place in mid-February at the same time as the security patches are deployed on all centrally managed Windows computers at CERN.

From this moment, after a user inserts CDs, DVDs or a USB stick into their PC they will then have to click on "My Computer" in order to access data stored on the medium. In particular they will NOT see a pop-up window like the one in the picture asking what action should be taken by the system.

Please note that FAQ articles are available which describe in detail two scenarios affected by our change:

https://cern.ch/it-faqs/Lists/faqs/DispForm.aspx?ID=174

https://cern.ch/it-faqs/Lists/faqs/DispForm.aspx?ID=175

Further Advice

The Computer Security Team strongly suggests that users of "shared" Windows folders review these folders’ access permissions. "Shared folders" are folders made visible to other users at CERN. Such folders should never grant "write" access privileges to everybody. Current access privileges can be easily verified through the folders’ properties.

Finally, the Computer Security Team reminds all users of so-called "locally managed" Windows PCs to apply all missing patches as soon as possible, in particular that of October 2008. The patches are available through CMF.

If you need help with any of these issues or have questions, please contact the Computing Helpdesk at mailto:Helpdesk@cern.ch.

Thank you for your understanding and collaboration

The Computer Security Team

[1] SANS NewsBites (2009/01/16; https://www.sans.org/newsletters/newsbites/)

by IT Department

Back to search

Record created 2009-02-05, last modified 2023-12-08

Similar records

Fulltext: