New Virus hitting hard and furious!!!

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

[STFrancis]

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...

[ChefKeith]

marking for later read

[Ramius]

I dunno... I have a thousand or so windows PC's on my network that haven't been hit by a significant virus in years... :-)

[dtel]

Thank you.
I owe you one.

[Timesink]

I dunno... I have a thousand or so windows PC's on my network that haven't been hit by a significant virus in years... :-)

Well, see, you know what you're doing. ;)

[FairOpinion]

I hope you have both the Norton anti-virus AND the Firewall.

Be sure you keep updating Norton, not just with the Live Update, which you may have set at automatic, but new virus definitions come almost daily, which you can and should download manually.


Just go to:

http://www.sarc.com/avcenter/download/pages/US-N95.html

then just click on the ong.exe file, which has a date next to it, to identify the date it was posted, your computer will do the rest, You may have to click on "yes" to install it.

That should help some.

[Maurice Tift]

Two people called me today to tell me that their computers were rebooting while they were connected to the internet. I checked on one customer and noticed that there were plenty of randomly named exe files in the \windows\system32 folder and one of them was called 'msblast.exe' - there was also a file called webdav.exe in the startup forder for AllUsers.

I archived & deleted all the suspicious new exe files in the system32 folder, put a dummy file in place of the webdav.exe file & applied the vulnerability patch from the Microsoft web site. So far the problem has not recurred. I see there are some virus updates to take care of the problem and I will download the latest update too. Maybe this has something to do with Amazon.com and Target.com being down recently.

[Revel]

Zone alarm is going crazy tonight. 143 alerts in 45 minutes. Mostly to UDP port 41170. Why does this not match the one given throughout this thread?

[Ramius]

Well, see, you know what you're doing. ;)

Well, I dunno. I'd rather be lucky than good. :-)

In my world though, I hide everything behind really good firewalls (I dig PIX) and get pretty jealous of what I let through. I also strip off any executables (among others) from e-mail messages. I have for years. It's saved me a lot of grief waiting for AV providers to update files when a new pattern needs to be released.

I also have four (count 'em, 4) levels of antivirus protection from two different providers, at all levels... SMTP, Exchange, User, and NT Share... I wouldn't be so brave as to get cocky, but so far it has worked out pretty well. :-)

[ztiworoh]

I got this virus earlier today, was able to take care of it before it did anything but it gave me quite a scare

[FairOpinion]

"Mostly to UDP port 41170"

---

Maybe that is the remote port it's coming FROM, trying to go to you LOCAL port 4444. At least that is how I understood the suggestion to block our 4444 port ( block our LOCAL 4444 port). I hope that is correct.

[Ramius]

It's a pretty nasty one, potentially. Glad that it came out OK for you.

This one would have been somewhat nastier, methinks, if the writer hadn't been so arrogant as to make his presence so clearly known on an infected machine. From what I understand so far, this malware propogates on its own to any machine with the unpatched vulnerability. The user could be infected without ever knowing that they had gotten it, except that the writer intentionally makes the system barf and reboot over and over.

Kinda stupid, that. If they'd just let it lurk there until the user naturally rebooted, it might have gone undetected for quite some time. Then his DDOS might have been somewhat more effective.

[ztiworoh]

yeah, had it not tipped off the RPC service to restart my computer randomly I would never have known it was there

[Ramius]

Sounds like a different thing from this particular virus/worm. Your zonealarm may just be reacting to some script kiddie that has just started working the IP subnet that you happen to be on. Might or might not actually be anything to worry about. That ZA is catching it, is on the whole, a fairly good sign.

[FairOpinion]

Watch it, your poor computer may suffocate. ;)

[expatguy]

Someone needs to tell those smart guys at Systematic, that this is not a virus.

Nice way to mislead the sheeple.

[thoughtomator]

My uncle called me tonight and he had this virus... his first ever, I think, as he barely uses his machine.

[Revel]

"The firewall has blocked Internet access to your computer (UDP Port 41170) from 12.223.106.154 (UDP Port 1487)."
"The firewall has blocked Internet access to your computer (TCP Port 135) from 12.216.51.94 (TCP Port 3991) [TCP Flags: S]."

---

There are a lot now to port 135 also. the "From" stuff is all different. I am no great expert in this area however.

[Revel]

I always get a few alerts when I am online, but nothing like this. See my post above for actual cut and paste messages from Zone alarm. Thanks

[MrNatural]

I just got it, and got rid of it (I think), But I had help from my company's IT dept.

Same deal; kept rebooting. Norton found the whatever-it-is; W32.Blaster.Worm,
but it couldn't do anything with it. Couldn't even delete the file it was in.

[Eva]

I just went to the Microsoft Windows XP forum and downloaded what they told me to down load and they did everything for me. I shut down my computer and re-started and haven't had a problem since. Are you saying that I need to do more?