Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

W32 Blaster Worm
http://www.cert.org/advisories/CA-2003-20.html ^ | CERT

Posted on 08/12/2003 11:30:56 AM PDT by dfrussell

This thing seems to be spreading quite quickly. If you're using MS and haven't verified your system, you should.

If you're not using a firewall, you should.

http://www.sygate.com will allow you to download and install a personal firewall -- it's easy to install.

Internet Security Systems (http://www.iss.net) has released a scan tool to check for the MS03-026 patch on Windows servers.

Location:

http://www.iss.net/support/product_utilities/ms03-026rpc.php


TOPICS: News/Current Events; Technical
KEYWORDS: lovesan; mdm; ms; w32blasterworm; worm
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 last
To: Jack Black
what are peoples experience w/ Zone Alarm, Black Ice and other firewalls?

Better than no wall at all. I heard someone used the free ZA to stop the attacks (and resulting reboots) long enough to zap the reg key and executable. If ZA works for you, great.

I use iptables myself...

61 posted on 08/12/2003 1:49:54 PM PDT by TechJunkYard (because... so much is riding on your wires)
[ Post Reply | Private Reply | To 56 | View Replies]

To: Jack Black
Mr. FourPeas has experience with these. Unfortunately right now he's knee deep trying to disinfect his networks. I'll see if I can get some info from him when he come up for air.
62 posted on 08/12/2003 1:52:31 PM PDT by FourPeas
[ Post Reply | Private Reply | To 56 | View Replies]

To: NormB
I got the same hit yesterday -- svchost.exe kept failing on memory reads, and file transfers were failing.

I must take the blame for this one. Normally I run behind a VPN that keeps me protected, but a week ago I moved outside the VPN to expose a development web site to a prospective customer. Getting back behind the VPN was one of those things I "was going to get to just as soon as I get a break." I paid for that one!

63 posted on 08/12/2003 1:52:58 PM PDT by StevieB
[ Post Reply | Private Reply | To 41 | View Replies]

To: Billthedrill
Shhhhhh! Not so loud! The Server Gods have an NDA that is wicked! You signed it, didn't you? You really don't want to get on the bad side of their legal staff....

(for the non-techies out there, NDA stands for Non-Disclosure Agreement.)

64 posted on 08/12/2003 1:57:24 PM PDT by Elliott Jackalope (this tagline is currently under construction....)
[ Post Reply | Private Reply | To 55 | View Replies]

To: Joe Hadenuf
Does this specific virus affect windows ME operating systems?

This is NOT a virus. It is a worm.

65 posted on 08/12/2003 1:59:05 PM PDT by expatguy
[ Post Reply | Private Reply | To 3 | View Replies]

To: dfwgator
Oh, I agree it IS someone's responsibility, but so many of the people with laptops are entirely clueless when it comes to patching and with recent labor cuts IT doesn't have enough staff to dedicate the manpower necessary to do it. Frankly, it appears most manufacturing firms are quite lax when it comes to security, only finding it important once they're smacked really hard. Oddly enough, Mr. FourPeas' company has already been hit with viruses (what Fortune 500 hasn't), but still doesn't consider it that much of a priority until, of course, some virus/hack/dns starts reaking havoc yet again. As in many large manufacturing companies, the senior VP for IT doesn't have a background in technology. He's comes to IT from manufacturing because he was part of a computerized ERP implementation.

The cost of security, like the cost of quality, is so intangible. If it doesn't appear on the financials, it doesn't matter.

66 posted on 08/12/2003 1:59:41 PM PDT by FourPeas
[ Post Reply | Private Reply | To 58 | View Replies]

To: Billthedrill
Of course, merely posting this will tell the Computer Gods that I am ripe for yet another Humbling Experience.

Ain't that the truth.

67 posted on 08/12/2003 2:02:11 PM PDT by FourPeas
[ Post Reply | Private Reply | To 51 | View Replies]

To: FourPeas
You can pay now, or you will pay later *sigh*
68 posted on 08/12/2003 2:02:56 PM PDT by dfwgator
[ Post Reply | Private Reply | To 66 | View Replies]

To: dfwgator
Yup.
69 posted on 08/12/2003 2:05:55 PM PDT by FourPeas
[ Post Reply | Private Reply | To 68 | View Replies]

To: NormB
That is the SAME EXACT problem that I have, but now my SVChost.exe is toast, have you figured out a way to fix it without having to reload the entire OS?

Any advice you might have would be appreciated.

The worm is gone, but the damage is done, now how to fix it.
70 posted on 08/12/2003 2:08:25 PM PDT by Aric2000 (If the history of science shows us anything, it is that we get nowhere by labeling our ignorance god)
[ Post Reply | Private Reply | To 41 | View Replies]

To: Jack Black
I love zone alarm, you just can't share internet access through it if you are on a modem, which bites, but means that I have to turn it off when the wife is using her machine.

Oh, and she got the little bastage too, but caught it before it did any damage.
71 posted on 08/12/2003 2:10:51 PM PDT by Aric2000 (If the history of science shows us anything, it is that we get nowhere by labeling our ignorance god)
[ Post Reply | Private Reply | To 56 | View Replies]

To: Aric2000
what kind of modem? I have a DSL->Switch->multiple computers and ZA works fine on each of the computers.
72 posted on 08/12/2003 2:24:33 PM PDT by Jack Black
[ Post Reply | Private Reply | To 71 | View Replies]

To: Jack Black
That's because of the switch, I use a 56K modem right now, and I cannot share my modem with Zonealarm on for some reason, I have played with it for hours and haven't been able to make it work.

Once I get my DSL hooked, hopefully within a week or so, I can turn on Zonealarm forever!!
73 posted on 08/12/2003 2:28:31 PM PDT by Aric2000 (If the history of science shows us anything, it is that we get nowhere by labeling our ignorance god)
[ Post Reply | Private Reply | To 72 | View Replies]

Place holder
74 posted on 08/12/2003 2:31:10 PM PDT by Eaker (This is OUR country; let's take it back!!!!!)
[ Post Reply | Private Reply | To 72 | View Replies]

To: Aric2000
I used a hub before the switch. Hubs go for as little as $20 at CompUSA. They are passive so require no setup, just plug and go. (try first using the cable that now connects the modem to your computer to connect the modem to the switch or hub... if that doesnt' work substitute a normal Cat 5 cable instead). I use NetGear stuff which works for me. Good luck.
75 posted on 08/12/2003 2:32:07 PM PDT by Jack Black
[ Post Reply | Private Reply | To 73 | View Replies]

To: AppyPappy
Not sure on ZoneAlarm specifically but firewall's generally allow or deny traffic based on ports. Web server traffic (http) usually come in on port 80. So what you want to tell ZoneAlarm is to allow incoming traffic on port 80. (Or whatever port your server is running on.)
76 posted on 08/12/2003 2:40:27 PM PDT by Lost Highway
[ Post Reply | Private Reply | To 43 | View Replies]

To: Jack Black
what are peoples experience w/ Zone Alarm, Black Ice and other firewalls?

Personally, I am running ATguard and BlackIce. For some reason, I started getting a lot of TCP probes a couple of days ago, and now I am getting a HUGE amount of MSRPC port probes.

77 posted on 08/12/2003 4:22:29 PM PDT by Utilizer
[ Post Reply | Private Reply | To 56 | View Replies]

To: Aric2000
Here's what I did. It was a pain.
Not knowing what was going on, I first reinstalled IE6.
After rebooting, the machine was stable enough to run windows update and apply SP4.
Then reboot, and Apply all other patches.
I think at that point my machine was clean.
Reboot again and check symantec for fixblast and run it just to be sure.
Lastly set up a software firewall.
Hope this helps.
78 posted on 08/13/2003 6:25:18 AM PDT by NormB
[ Post Reply | Private Reply | To 70 | View Replies]

To: NormB
Microsoft Windows Update Site this morning:

HTTP/1.1 Server Too Busy

Terrific.

79 posted on 08/13/2003 6:29:43 AM PDT by New Horizon
[ Post Reply | Private Reply | To 78 | View Replies]

To: dfrussell
My Finance networking group provided a detailed instruction set including the number of the S patch which will "fix" the problem close the loophole!

This worm takes advantage of the security flaw that was highlighted by the US Dept, of Homeland Security a few weeks ago.

The good news

If you've followed our advice in WWW 6.12 then you're already protected from the worm.

To double-check run Windows Update to grab any critical patches then you'll already have the fix that prevents Blaster from infecting your computer.

To make sure you have the right fix, go to Settings | Control Panel |

Add/Remove Software then scroll down to the long list of fixes. Look for one labeled with the number 823980 - that's the fix you need.

If that patch (823980) is installed already you can rest easy.

To double-check open up your browser and go to Tools | Windows Update, allow the computer to be scanned for updates and install any critical updates that are listed for you. Be patient, Windows Update is running slowly at the moment because so many people are trying to catch up with their patches.

Or here's Microsoft's links to separate patches:

Windows NT 4.0 Server Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP 32 bit Edition (this includes all Home and Pro edition users) Windows XP 64 bit Edition (the 64-bit edition is specially marked and requires a special computer, if you have this special setup you'd know it) Windows Server 2003 32 bit Edition Windows Server 2003 64 bit Edition (the 64-bit edition is specially marked and requires a special computer, if you have this special setup you'd know it)

If you're in doubt about whether you have the 32 or 64 bit edition, use Windows Update to work it out for you. However in almost all cases you'll have the 32-bit edition of Windows.

However patching is a preventative measure only. If your computer has already been infected then you need to take steps to remove the worm.

See if the worm is 'turning' You can see if your computer is infected with Blaster by running your anti-virus software AFTER you've downloaded the latest virus information.

Scanning your computer with out-of-date information is virtually useless.

Or you can see if the worm program is running.

Press Ctrl + Alt + Del

Choose Task Manager

Choose the Processes tab

Click on the 'Show processes for all users' option Click on the heading 'Images' to sort the list alphabetically.Look down the list for msblast.exe If you find it, click on that entry then 'End Process' That will stop the worm from running, but you still have to remove it from your computer.

Symantec has released a free removal tool in case you need it.

80 posted on 08/13/2003 7:17:47 AM PDT by Young Werther
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson