w32.blaster advisory

[Mithrandir]

Hey Guys,
I know lots of you use PC's running windows, so I thought I'd pass on the info here. CERT released an official warning about a new worm (sorta like a virus) going around. It's pretty nasty, and it ONLY affects windows machines. It tries to download a program called msblast.exe. If you have weird problems with access times, you may want to search for this file on your hard drive. This one managed to make front page headlines on both Symantic and McAffee websites. Technical Info can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html One of the worst things about this virus is that you don't have to dl/run any programs to get it! Just being connected to the interenet will do it, as it exploits an RPC vunerability in the M$ opperating system. According to M$, it affects:
* Microsoft Windows NT® 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Serverâ„¢ 2003

And if you don't believe that M$ is evil, they also said, " Previous versions are no longer supported, and may or may not be affected by this vulnerability." Which is M$ speak for "We won't bother fixing anything else, so you'll have to buy new stuff.

Anyway, I have to clean it off some of the machines here, so I thouht I'd tell you too.

- The Geek

Oh yeah, if you have the virus, you can get rid of it with http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

The patch for this can be dled by using the windows updater (if you are not infected). You can find the patch manually at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

[Straylight]

Yes, that's a pretty nasty one. It automatically performs a DDOS attack on windowsupdate.com as well, which explains why that website is down, or at least extremely hard to access.

[Master Kenzo]

I had to deal with this virus last night. My friend in BC has no firewall, and he got the worm yesterday. We removed it NO THANKS TO NORTON by deleting the msblast.exe in C:\WINDOWS\system32\ and the registry key...search for msblast.exe, should come up with "windows autoupdater" or something. And the file is msblast.exe not msblaster.exe just to let you guys know

[Mithrandir]

...And the file is msblast.exe not msblaster.exe just to let you guys know...

Duely noted. (And updated)

[Zal-Utaon III]

Thanks for the warning ill look out for it.

[Aibou]

I got it too yesterday... a nasty one.

[Retten]

Thanks for the info hopefully our firewall will keep it away

[MyrrhLynn]

I don't have it on my computer but I think we got it on our old one. I just hope that once school starts some dummies don't start spreading it on the network. That happened with some worms last yeah and it make the network slower then a dial up.

[Link Antilles]

That explains the major lag my computer suffered yesterday, while playing spearhead and surfing. The little bugger snuck it's self on when my firewall was down. Thanks for the update! Worm removed!

[Mithrandir]

That explains the major lag my computer suffered yesterday, while playing spearhead and surfing. The little bugger snuck it's self on when my firewall was down. Thanks for the update! Worm removed!

You bring up a good point. I've been tempted many times to just place a machine outside the firewall while I play video games. I'm glad I took the extra week and wrote my own firewall. The one I have runs on a linux box with two nics and forwards through only ports I wanna play with. Works quite well, too. Anyone want it? As long as you have an old computer with enough drive space to install linux (I use rh 6.1) and two nics, it's much cheeper than a hardware box that might have an explotable hole. (Like cisco...)

[Rashiir]

What? Computer virii? Huh?

[shooraijin]

Yes, Rashiir, isn't it nice to be on a practically virus-free platform?

(However, obviously, there's the potential for network congestion anywhere this worm is running rampant and that affects us on the Light Side of the Force. Fortunately, the only Windows machine on my network is Virtual PC running Win 98, which doesn't seem to be vulnerable from my cursory testing [good news for anyone running Windows 98, and yet another reason to give 2K/XP a quick trip to the trash bin]. Everything else here is Unix or MacOS, and a couple DOS installs, plus the C64.)

[LorentzForce]

my firewall reported extreme amount of traffic yesterday and today. my logbook of attacks is few megabytes big. that's a lot of attacks.

but EVE is protected and doesn't have the worm. but just incase, i did install the patch.

[Mithrandir]

Yeah, I've noticed some interesting stuff on my log reports for my firewall. The ammount of traffic that's hitting it is causing it to waste a lot of cycles. I'm really hoping it doesn't start thrashing anytime soon here.

[shooraijin]

My firewall's load average is still sitting around 0.05, so I guess it's not getting slammed with very much (or much it can't handle).

[LorentzForce]

The firewall has blocked routed traffic from 203.88.255.241 to 224.0.0.5 (IP Protocol 89).

Occurred: 205 times between 14/08/2003 3:42:40 PM and 14/08/2003 4:16:38 PM

The firewall has blocked routed traffic from 203.88.255.241 to 224.0.0.5 (IP Protocol 89).

Occurred: 286 times between 14/08/2003 4:16:48 PM and 14/08/2003 5:04:18 PM

The firewall has blocked routed traffic from 203.88.255.241 to 224.0.0.5 (IP Protocol 89).

Occurred: 36 times between 14/08/2003 5:26:50 PM and 14/08/2003 5:32:40 PM

they are all the same routing attacks, just that sometimes there were different attacks inbetween.

[Link Antilles]

On TechTV's website I found a way to stop the count down:

1. Go to the command line interface by clicking on the Start button and selecting Run. Type "command" (without quotes) and click OK.

2. At the command prompt, type "shutdown -a" (without quotes). This effectively orders the computer to abort shutdown.

It works too! My other computer was infected, so I decided to try it out.

BTW, isn't there a bigger attack coming the 16th?