WHAT HAS LAUSD DONE:

We have seen a dramatic rise in the incidence of this family of worms beginning the afternoon of Friday, April 23. The District has since been compelled to take significant action to slow the spread of the worm, including:

1. Eliminating "Windows File/Print Sharing" and "Windows Domain Logon Services" access between remote networks, with the exception of the Beaudry Data Center, the KMPG Building, and Local District Offices.
2. Eliminating "Windows File Sharing" and "Windows Print Sharing" access between floors of the Beaudry building.

If users on a local network are sharing folders or printers on Windows machines with users on another local network, they will likely experience interruptions in these services. When worm activity is reduced to manageable levels, the District will evaluate the most appropriate manner to re-establish or replace these services. If a school or District office has their own Windows Domain and allows computers on an outside local network to log into that domain, this service may also be disrupted. However, if these disruptive actions are not taken by the District, in many cases this has resulted in a complete loss of local network service due to worm activity.

The actions above have significantly slowed the spread of the worm. However, one or two computers on a single local network can create significant disruption on that network. The District may be compelled to take further action, including further restricting Windows File/Print Sharing" and Domain Logon Services between local networks in order to prevent further network disruptions. For those computers connected to the "lausd.net" domain, login scripts may be added when you log into your machine to automatically change select local settings to further prevent the worm from spreading.

Unfortunately, this family of worms is particularly powerful for a variety of reasons:

1. (Most importantly): If a machine was installed with poor administrator accounts with poor passwords, the worm is capable of logging into a machine, disabling most antivirus and/or local firewall software, and infecting the machine. Antivirus software alone is not enough to stop the spread of the virus!
2. There are (as of April 21) more than 75 variants of the worm
3. The variants exploit multiple vulnerabilities in the Windows family of operating systems
4. The worm does not spread via email, and therefore is not prevented by central District email antivirus filtering.
5. The worm can infect multiple versions of Windows, including Windows 95, 98, ME, NT, 2000, and XP (Although Windows NT, 2000 or XP are the most susceptible to the full effects of the virus.)
6. The worm can disrupt your ability to communicate with the Microsoft "Windows Update" website and/or Antivirus websites to update the operating system and antivirus definitions.

SYMPTOMS:

Symptoms of the worm include:

1. Sudden termination of Symantec/Norton Antivirus Software (The "Yellow Shield" in the lower right corner of the screen disappears or is not present).Center, the KMPG Building, and Local District Offices.
2. The task manager closes immediately when you open it with Ctrl-Alt-Del.
3. The Registry Editor (regedit or regedt32) closes immediately when you open it.
4. Redirection to other web sites (e.g., www.google.com) when you attempt to visit antivirus web sites such as www.symantec.com.
5. Inability to use any antivirus or windows updates websites (such as www.symantec.com or windowsupdate.microsoft.com) or network services due to a "DNS Error".

Any system that has been infected can be controlled remotely by a malicious user and should be considered insecure and should not be used. Please disconnect the computer from the network immediately.

IF A MACHINE IS INFECTED - WHAT SHOULD YOU DO:

1. PHYSICALLY DISCONNECT THE SYSTEM FROM THE NETWORK.
2. Contact the ITD Help Desk at (323) 224-2277.

IF IT DOES NOT APPEAR A MACHINE IS INFECTED:

If a machine is not infected, actions must STILL be performed to prevent spread of the worm. These instructions are complex. If you are not comfortable or capable of performing the actions described, call the ITD Help Desk at (323) 224-2277 or consult with your local school or office technology coordinator.

If a machine does not appear to be infected, instructions to help prevent the spread of the virus to a machine may be found below.

ADDITIONAL NOTES:

If the District detects a machine is causing disruption on a local network due to this (or any) virus or worm, ITD Network Operations and/or Security may be compelled terminate that machine's access to the District network and place a trouble call with the ITD help desk for resolution.
The District regrets the inconvenience that these actions may cause. Any actions performed or contemplated by the District for stopping the spread of this worm were/will consider the impact on end users to the maximum extent practical without jeopardizing a vital loss of network services.

Instructions on how to help prevent the Gaobot virus from spreading to your computer are attached. Please click here to download the instructions.

Thank you for your cooperation.

Related Information and Web Sites
District Employees and sites may download anti-virus software here: http://software.lausd.k12.ca.us/ .

Symantec offers removal tools for machines that have been infected: Gaobot Removal tool
For more information about tools available from Symantec go to http://www.sarc.com/