Re: Santa Fe city government computers knocked out by worm

["Steven M. Bellovin" <smb () research att com>]

In message <Pine.GSO.4.44.0311160612490.5893-100000 () clifden donelan com>, Sean 
Donelan writes:
> The US is still losing relatively major city government computer networks
> due to the Nachi/Welchia worm.
>
> Sante Fe city government's entire computer network was knocked offline
> on Friday by the Nachi worm.  City employees could not access e-mail or
> work with their computers all day Friday, and the Santa Fe Public Library
> was not able to access the Internet.
>
> Officials say the worm infected the system when an employee downloaded
> music on a city computer.  The article says the worm was able to infect
> the city computer system by first disabling the system's virus detection
> system.  Both statements would be notable because known versions of
> Nachi/Welchia don't spread that way.
>
> http://kobtv.com/index.cfm?viewer=storyviewer&id=6232&cat=HOME
>
> No explaination why Sante Fe officials had not patched the city's
> computers in the three months since Microsoft announced the vulnerability
> and released the software updates.  Nor why Sante Fe didn't have up to
> date anti-virus programs running on its computers.

I draw a different conclusion from the article:  the channel from the 
techs who worked on it to the reporter was lossy...  As you note, Nachi/
Welchia aren't spread by music downloads, nor do they disable AV 
software.  I suspect that a Trojan'ed file-sharing program is more 
likely the culprit.

                --Steve Bellovin, http://www.research.att.com/~smb