W32 Blaster Worm

http://www.cert.org/advisories/CA-2003-20.html ^ | CERT

[dfrussell]

This thing seems to be spreading quite quickly. If you're using MS and haven't verified your system, you should.

If you're not using a firewall, you should.

http://www.sygate.com will allow you to download and install a personal firewall -- it's easy to install.

Internet Security Systems (http://www.iss.net) has released a scan tool to check for the MS03-026 patch on Windows servers.

Location:

http://www.iss.net/support/product_utilities/ms03-026rpc.php

[TechJunkYard]

what are peoples experience w/ Zone Alarm, Black Ice and other firewalls?

Better than no wall at all. I heard someone used the free ZA to stop the attacks (and resulting reboots) long enough to zap the reg key and executable. If ZA works for you, great.

I use iptables myself...

[FourPeas]

Mr. FourPeas has experience with these. Unfortunately right now he's knee deep trying to disinfect his networks. I'll see if I can get some info from him when he come up for air.

[StevieB]

I got the same hit yesterday -- svchost.exe kept failing on memory reads, and file transfers were failing.

I must take the blame for this one. Normally I run behind a VPN that keeps me protected, but a week ago I moved outside the VPN to expose a development web site to a prospective customer. Getting back behind the VPN was one of those things I "was going to get to just as soon as I get a break." I paid for that one!

[Elliott Jackalope]

Shhhhhh! Not so loud! The Server Gods have an NDA that is wicked! You signed it, didn't you? You really don't want to get on the bad side of their legal staff....

(for the non-techies out there, NDA stands for Non-Disclosure Agreement.)

[expatguy]

Does this specific virus affect windows ME operating systems?

This is NOT a virus. It is a worm.

[FourPeas]

Oh, I agree it IS someone's responsibility, but so many of the people with laptops are entirely clueless when it comes to patching and with recent labor cuts IT doesn't have enough staff to dedicate the manpower necessary to do it. Frankly, it appears most manufacturing firms are quite lax when it comes to security, only finding it important once they're smacked really hard. Oddly enough, Mr. FourPeas' company has already been hit with viruses (what Fortune 500 hasn't), but still doesn't consider it that much of a priority until, of course, some virus/hack/dns starts reaking havoc yet again. As in many large manufacturing companies, the senior VP for IT doesn't have a background in technology. He's comes to IT from manufacturing because he was part of a computerized ERP implementation.

The cost of security, like the cost of quality, is so intangible. If it doesn't appear on the financials, it doesn't matter.

[FourPeas]

Of course, merely posting this will tell the Computer Gods that I am ripe for yet another Humbling Experience.

Ain't that the truth.

[dfwgator]

You can pay now, or you will pay later *sigh*

[FourPeas]

Yup.

[Aric2000]

That is the SAME EXACT problem that I have, but now my SVChost.exe is toast, have you figured out a way to fix it without having to reload the entire OS?

Any advice you might have would be appreciated.

The worm is gone, but the damage is done, now how to fix it.

[Aric2000]

I love zone alarm, you just can't share internet access through it if you are on a modem, which bites, but means that I have to turn it off when the wife is using her machine.

Oh, and she got the little bastage too, but caught it before it did any damage.

[Jack Black]

what kind of modem? I have a DSL->Switch->multiple computers and ZA works fine on each of the computers.

[Aric2000]

That's because of the switch, I use a 56K modem right now, and I cannot share my modem with Zonealarm on for some reason, I have played with it for hours and haven't been able to make it work.

Once I get my DSL hooked, hopefully within a week or so, I can turn on Zonealarm forever!!

[Eaker]

Place holder

[Jack Black]

I used a hub before the switch. Hubs go for as little as $20 at CompUSA. They are passive so require no setup, just plug and go. (try first using the cable that now connects the modem to your computer to connect the modem to the switch or hub... if that doesnt' work substitute a normal Cat 5 cable instead). I use NetGear stuff which works for me. Good luck.

[Lost Highway]

Not sure on ZoneAlarm specifically but firewall's generally allow or deny traffic based on ports. Web server traffic (http) usually come in on port 80. So what you want to tell ZoneAlarm is to allow incoming traffic on port 80. (Or whatever port your server is running on.)

[Utilizer]

what are peoples experience w/ Zone Alarm, Black Ice and other firewalls?

Personally, I am running ATguard and BlackIce. For some reason, I started getting a lot of TCP probes a couple of days ago, and now I am getting a HUGE amount of MSRPC port probes.

[NormB]

Here's what I did. It was a pain.
Not knowing what was going on, I first reinstalled IE6.
After rebooting, the machine was stable enough to run windows update and apply SP4.
Then reboot, and Apply all other patches.
I think at that point my machine was clean.
Reboot again and check symantec for fixblast and run it just to be sure.
Lastly set up a software firewall.
Hope this helps.

[New Horizon]

Microsoft Windows Update Site this morning:

HTTP/1.1 Server Too Busy

Terrific.

[Young Werther]

My Finance networking group provided a detailed instruction set including the number of the S patch which will "fix" the problem close the loophole!

This worm takes advantage of the security flaw that was highlighted by the US Dept, of Homeland Security a few weeks ago.

The good news

If you've followed our advice in WWW 6.12 then you're already protected from the worm.

To double-check run Windows Update to grab any critical patches then you'll already have the fix that prevents Blaster from infecting your computer.

To make sure you have the right fix, go to Settings | Control Panel |

Add/Remove Software then scroll down to the long list of fixes. Look for one labeled with the number 823980 - that's the fix you need.

If that patch (823980) is installed already you can rest easy.

To double-check open up your browser and go to Tools | Windows Update, allow the computer to be scanned for updates and install any critical updates that are listed for you. Be patient, Windows Update is running slowly at the moment because so many people are trying to catch up with their patches.

Or here's Microsoft's links to separate patches:

Windows NT 4.0 Server Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP 32 bit Edition (this includes all Home and Pro edition users) Windows XP 64 bit Edition (the 64-bit edition is specially marked and requires a special computer, if you have this special setup you'd know it) Windows Server 2003 32 bit Edition Windows Server 2003 64 bit Edition (the 64-bit edition is specially marked and requires a special computer, if you have this special setup you'd know it)

If you're in doubt about whether you have the 32 or 64 bit edition, use Windows Update to work it out for you. However in almost all cases you'll have the 32-bit edition of Windows.

However patching is a preventative measure only. If your computer has already been infected then you need to take steps to remove the worm.

See if the worm is 'turning' You can see if your computer is infected with Blaster by running your anti-virus software AFTER you've downloaded the latest virus information.

Scanning your computer with out-of-date information is virtually useless.

Or you can see if the worm program is running.

Press Ctrl + Alt + Del

Choose Task Manager

Choose the Processes tab

Click on the 'Show processes for all users' option Click on the heading 'Images' to sort the list alphabetically.Look down the list for msblast.exe If you find it, click on that entry then 'End Process' That will stop the worm from running, but you still have to remove it from your computer.

Symantec has released a free removal tool in case you need it.