Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New Virus hitting hard and furious!!!
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

Posted on 08/11/2003 2:33:46 PM PDT by STFrancis

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...


TOPICS: Breaking News; News/Current Events; Technical
KEYWORDS: blaster; computer; firewall; internet; macuserlist; microsoft; msblast; techindex; virus; vulnerability; worm
Navigation: use the links below to view more comments.
first previous 1-20 ... 101-120121-140141-160 ... 301-308 next last
To: STFrancis
marking for later read
121 posted on 08/11/2003 7:35:46 PM PDT by ChefKeith (NASCAR...everything else is just a game!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Timesink
I dunno... I have a thousand or so windows PC's on my network that haven't been hit by a significant virus in years... :-)
122 posted on 08/11/2003 7:36:00 PM PDT by Ramius
[ Post Reply | Private Reply | To 119 | View Replies]

To: LynnHam
Thank you.
I owe you one.
123 posted on 08/11/2003 7:39:17 PM PDT by dtel (Texas Longhorn cattle for sale at all times. We don't rent pigs)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Ramius
I dunno... I have a thousand or so windows PC's on my network that haven't been hit by a significant virus in years... :-)

Well, see, you know what you're doing. ;)

124 posted on 08/11/2003 7:40:22 PM PDT by Timesink
[ Post Reply | Private Reply | To 122 | View Replies]

To: PoisedWoman
I hope you have both the Norton anti-virus AND the Firewall.

Be sure you keep updating Norton, not just with the Live Update, which you may have set at automatic, but new virus definitions come almost daily, which you can and should download manually.


Just go to:

http://www.sarc.com/avcenter/download/pages/US-N95.html

then just click on the ong.exe file, which has a date next to it, to identify the date it was posted, your computer will do the rest, You may have to click on "yes" to install it.

That should help some.
125 posted on 08/11/2003 7:45:33 PM PDT by FairOpinion
[ Post Reply | Private Reply | To 48 | View Replies]

To: STFrancis
Two people called me today to tell me that their computers were rebooting while they were connected to the internet. I checked on one customer and noticed that there were plenty of randomly named exe files in the \windows\system32 folder and one of them was called 'msblast.exe' - there was also a file called webdav.exe in the startup forder for AllUsers.

I archived & deleted all the suspicious new exe files in the system32 folder, put a dummy file in place of the webdav.exe file & applied the vulnerability patch from the Microsoft web site. So far the problem has not recurred. I see there are some virus updates to take care of the problem and I will download the latest update too. Maybe this has something to do with Amazon.com and Target.com being down recently.
126 posted on 08/11/2003 7:46:51 PM PDT by Maurice Tift
[ Post Reply | Private Reply | To 1 | View Replies]

To: FairOpinion
Zone alarm is going crazy tonight. 143 alerts in 45 minutes. Mostly to UDP port 41170. Why does this not match the one given throughout this thread?
127 posted on 08/11/2003 7:51:29 PM PDT by Revel
[ Post Reply | Private Reply | To 125 | View Replies]

To: Timesink
Well, see, you know what you're doing. ;)

Well, I dunno. I'd rather be lucky than good. :-)

In my world though, I hide everything behind really good firewalls (I dig PIX) and get pretty jealous of what I let through. I also strip off any executables (among others) from e-mail messages. I have for years. It's saved me a lot of grief waiting for AV providers to update files when a new pattern needs to be released.

I also have four (count 'em, 4) levels of antivirus protection from two different providers, at all levels... SMTP, Exchange, User, and NT Share... I wouldn't be so brave as to get cocky, but so far it has worked out pretty well. :-)

128 posted on 08/11/2003 7:53:57 PM PDT by Ramius
[ Post Reply | Private Reply | To 124 | View Replies]

To: Ramius
I got this virus earlier today, was able to take care of it before it did anything but it gave me quite a scare
129 posted on 08/11/2003 7:55:06 PM PDT by ztiworoh
[ Post Reply | Private Reply | To 128 | View Replies]

To: Revel
"Mostly to UDP port 41170"

---

Maybe that is the remote port it's coming FROM, trying to go to you LOCAL port 4444. At least that is how I understood the suggestion to block our 4444 port ( block our LOCAL 4444 port). I hope that is correct.
130 posted on 08/11/2003 7:57:43 PM PDT by FairOpinion
[ Post Reply | Private Reply | To 127 | View Replies]

To: ztiworoh
It's a pretty nasty one, potentially. Glad that it came out OK for you.

This one would have been somewhat nastier, methinks, if the writer hadn't been so arrogant as to make his presence so clearly known on an infected machine. From what I understand so far, this malware propogates on its own to any machine with the unpatched vulnerability. The user could be infected without ever knowing that they had gotten it, except that the writer intentionally makes the system barf and reboot over and over.

Kinda stupid, that. If they'd just let it lurk there until the user naturally rebooted, it might have gone undetected for quite some time. Then his DDOS might have been somewhat more effective.
131 posted on 08/11/2003 8:02:28 PM PDT by Ramius
[ Post Reply | Private Reply | To 129 | View Replies]

To: Ramius
yeah, had it not tipped off the RPC service to restart my computer randomly I would never have known it was there
132 posted on 08/11/2003 8:06:15 PM PDT by ztiworoh
[ Post Reply | Private Reply | To 131 | View Replies]

To: Revel
Sounds like a different thing from this particular virus/worm. Your zonealarm may just be reacting to some script kiddie that has just started working the IP subnet that you happen to be on. Might or might not actually be anything to worry about. That ZA is catching it, is on the whole, a fairly good sign.
133 posted on 08/11/2003 8:06:56 PM PDT by Ramius
[ Post Reply | Private Reply | To 127 | View Replies]

To: Hot Tabasco
Watch it, your poor computer may suffocate. ;)
134 posted on 08/11/2003 8:08:40 PM PDT by FairOpinion
[ Post Reply | Private Reply | To 76 | View Replies]

To: STFrancis
Someone needs to tell those smart guys at Systematic, that this is not a virus.

Nice way to mislead the sheeple.

135 posted on 08/11/2003 8:08:55 PM PDT by expatguy
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
My uncle called me tonight and he had this virus... his first ever, I think, as he barely uses his machine.
136 posted on 08/11/2003 8:12:03 PM PDT by thoughtomator (Are we conservatives, or are we Republicans?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FairOpinion
"The firewall has blocked Internet access to your computer (UDP Port 41170) from 12.223.106.154 (UDP Port 1487)."
"The firewall has blocked Internet access to your computer (TCP Port 135) from 12.216.51.94 (TCP Port 3991) [TCP Flags: S]."
There are a lot now to port 135 also. the "From" stuff is all different. I am no great expert in this area however.
137 posted on 08/11/2003 8:12:41 PM PDT by Revel
[ Post Reply | Private Reply | To 130 | View Replies]

To: Ramius
I always get a few alerts when I am online, but nothing like this. See my post above for actual cut and paste messages from Zone alarm. Thanks
138 posted on 08/11/2003 8:15:57 PM PDT by Revel
[ Post Reply | Private Reply | To 133 | View Replies]

To: thoughtomator
I just got it, and got rid of it (I think), But I had help from my company's IT dept.

Same deal; kept rebooting. Norton found the whatever-it-is; W32.Blaster.Worm,
but it couldn't do anything with it. Couldn't even delete the file it was in.

139 posted on 08/11/2003 8:16:59 PM PDT by MrNatural (..".You want the truth?!"...)
[ Post Reply | Private Reply | To 136 | View Replies]

To: LynnHam
I just went to the Microsoft Windows XP forum and downloaded what they told me to down load and they did everything for me. I shut down my computer and re-started and haven't had a problem since. Are you saying that I need to do more?
140 posted on 08/11/2003 8:18:32 PM PDT by Eva
[ Post Reply | Private Reply | To 17 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 101-120121-140141-160 ... 301-308 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson