w32.blaster advisory

Talk about anything in here.

w32.blaster advisory

Postby Mithrandir » Tue Aug 12, 2003 7:12 am

Hey Guys,
I know lots of you use PC's running windows, so I thought I'd pass on the info here. CERT released an official warning about a new worm (sorta like a virus) going around. It's pretty nasty, and it ONLY affects windows machines. It tries to download a program called msblast.exe. If you have weird problems with access times, you may want to search for this file on your hard drive. This one managed to make front page headlines on both Symantic and McAffee websites. Technical Info can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html One of the worst things about this virus is that you don't have to dl/run any programs to get it! Just being connected to the interenet will do it, as it exploits an RPC vunerability in the M$ opperating system. According to M$, it affects:
* Microsoft Windows NT® 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Serverâ„¢ 2003

And if you don't believe that M$ is evil, they also said, " Previous versions are no longer supported, and may or may not be affected by this vulnerability." Which is M$ speak for "We won't bother fixing anything else, so you'll have to buy new stuff.

Anyway, I have to clean it off some of the machines here, so I thouht I'd tell you too.

- The Geek

Oh yeah, if you have the virus, you can get rid of it with http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

The patch for this can be dled by using the windows updater (if you are not infected). You can find the patch manually at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby Straylight » Tue Aug 12, 2003 7:17 am

Yes, that's a pretty nasty one. It automatically performs a DDOS attack on windowsupdate.com as well, which explains why that website is down, or at least extremely hard to access.
[align=center]
Image
Banner above created using my avatar generator tool.
You know you want try it.
User avatar
Straylight
 
Posts: 2346
Joined: Mon May 26, 2003 12:00 pm
Location: Manchester, UK

Postby Master Kenzo » Tue Aug 12, 2003 10:59 am

I had to deal with this virus last night. My friend in BC has no firewall, and he got the worm yesterday. We removed it NO THANKS TO NORTON by deleting the msblast.exe in C:\WINDOWS\system32\ and the registry key...search for msblast.exe, should come up with "windows autoupdater" or something. And the file is msblast.exe not msblaster.exe just to let you guys know :)
I'm back to make a post or two every couple years...
User avatar
Master Kenzo
 
Posts: 591
Joined: Thu May 29, 2003 12:38 pm
Location: Ajax

Postby Mithrandir » Tue Aug 12, 2003 11:08 am

Master Kenzo wrote:...And the file is msblast.exe not msblaster.exe just to let you guys know...


Duely noted. (And updated)
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby Zal-Utaon III » Tue Aug 12, 2003 11:14 am

Thanks for the warning ill look out for it.
"Gha Bah Glab.. Bah Bah ha.. The Foolish Samurai" -Aku
Image
User avatar
Zal-Utaon III
 
Posts: 63
Joined: Sun Aug 03, 2003 1:05 pm
Location: New York

Postby Aibou » Tue Aug 12, 2003 12:00 pm

I got it too yesterday... a nasty one.
//HBNU Creations// - Webmanga in the works!
//My DeviantArt// - Check my art ;D
//Everlasting// - My LiveJournal.
User avatar
Aibou
 
Posts: 156
Joined: Sat May 31, 2003 6:45 am
Location: The Netherlands

Postby Retten » Tue Aug 12, 2003 12:01 pm

Thanks for the info hopefully our firewall will keep it away :thumb:
Image

formerly WhiteBlaze
User avatar
Retten
 
Posts: 785
Joined: Mon Jun 30, 2003 10:00 am
Location: um.....thats a good question

Postby MyrrhLynn » Tue Aug 12, 2003 12:23 pm

I don't have it on my computer but I think we got it on our old one. I just hope that once school starts some dummies don't start spreading it on the network. That happened with some worms last yeah and it make the network slower then a dial up. :(
Image

:x:Anti Yaoi Fans :x: Daystar Design :x: MyrrhLynn.NET :x: Need an avatar? Then Click here!

"Another Sane Sig brought to you by MOES."
User avatar
MyrrhLynn
 
Posts: 777
Joined: Sun Jun 29, 2003 12:00 pm
Location: USA

Postby Link Antilles » Tue Aug 12, 2003 1:07 pm

That explains the major lag my computer suffered yesterday, while playing spearhead and surfing. The little bugger snuck it's self on when my firewall was down. Thanks for the update! Worm removed!
User avatar
Link Antilles
 
Posts: 2528
Joined: Mon Aug 11, 2003 4:00 am
Location: South Carolina

Postby Mithrandir » Tue Aug 12, 2003 1:16 pm

Link Antilles wrote:That explains the major lag my computer suffered yesterday, while playing spearhead and surfing. The little bugger snuck it's self on when my firewall was down. Thanks for the update! Worm removed!


You bring up a good point. I've been tempted many times to just place a machine outside the firewall while I play video games. I'm glad I took the extra week and wrote my own firewall. The one I have runs on a linux box with two nics and forwards through only ports I wanna play with. Works quite well, too. :) Anyone want it? As long as you have an old computer with enough drive space to install linux (I use rh 6.1) and two nics, it's much cheeper than a hardware box that might have an explotable hole. (Like cisco...)
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby Rashiir » Tue Aug 12, 2003 2:21 pm

What? Computer virii? Huh?
"Be joyful always." - 1 Thes 5:16
User avatar
Rashiir
 
Posts: 961
Joined: Mon Jun 02, 2003 1:28 pm
Location: California/New Haven, CT

Postby shooraijin » Tue Aug 12, 2003 7:05 pm

Yes, Rashiir, isn't it nice to be on a practically virus-free platform? :)

(However, obviously, there's the potential for network congestion anywhere this worm is running rampant and that affects us on the Light Side of the Force. Fortunately, the only Windows machine on my network is Virtual PC running Win 98, which doesn't seem to be vulnerable from my cursory testing [good news for anyone running Windows 98, and yet another reason to give 2K/XP a quick trip to the trash bin]. Everything else here is Unix or MacOS, and a couple DOS installs, plus the C64.)
"you're a doctor.... and 27 years.... so...doctor + 27 years = HATORI SOHMA" - RoyalWing, when I was 27
"Al hail the forum editting Shooby! His vibes are law!" - Osaka-chan

I could still be champ, but I'd feel bad taking it away from one of the younger guys. - George Foreman
User avatar
shooraijin
 
Posts: 9927
Joined: Thu Jun 26, 2003 12:00 pm
Location: Southern California

Postby LorentzForce » Wed Aug 13, 2003 5:56 am

my firewall reported extreme amount of traffic yesterday and today. my logbook of attacks is few megabytes big. that's a lot of attacks.

but EVE is protected and doesn't have the worm. but just incase, i did install the patch.
Image
User avatar
LorentzForce
 
Posts: 1263
Joined: Sun Jun 01, 2003 3:18 am
Location: Between B and E

Postby Mithrandir » Wed Aug 13, 2003 8:21 am

Yeah, I've noticed some interesting stuff on my log reports for my firewall. The ammount of traffic that's hitting it is causing it to waste a lot of cycles. I'm really hoping it doesn't start thrashing anytime soon here.
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby shooraijin » Wed Aug 13, 2003 6:53 pm

My firewall's load average is still sitting around 0.05, so I guess it's not getting slammed with very much (or much it can't handle).
"you're a doctor.... and 27 years.... so...doctor + 27 years = HATORI SOHMA" - RoyalWing, when I was 27
"Al hail the forum editting Shooby! His vibes are law!" - Osaka-chan

I could still be champ, but I'd feel bad taking it away from one of the younger guys. - George Foreman
User avatar
shooraijin
 
Posts: 9927
Joined: Thu Jun 26, 2003 12:00 pm
Location: Southern California

Postby LorentzForce » Thu Aug 14, 2003 12:30 am

The firewall has blocked routed traffic from 203.88.255.241 to 224.0.0.5 (IP Protocol 89).

Occurred: 205 times between 14/08/2003 3:42:40 PM and 14/08/2003 4:16:38 PM

The firewall has blocked routed traffic from 203.88.255.241 to 224.0.0.5 (IP Protocol 89).

Occurred: 286 times between 14/08/2003 4:16:48 PM and 14/08/2003 5:04:18 PM

The firewall has blocked routed traffic from 203.88.255.241 to 224.0.0.5 (IP Protocol 89).

Occurred: 36 times between 14/08/2003 5:26:50 PM and 14/08/2003 5:32:40 PM

they are all the same routing attacks, just that sometimes there were different attacks inbetween.
Image
User avatar
LorentzForce
 
Posts: 1263
Joined: Sun Jun 01, 2003 3:18 am
Location: Between B and E

Postby Link Antilles » Thu Aug 14, 2003 8:55 am

On TechTV's website I found a way to stop the count down:

1. Go to the command line interface by clicking on the Start button and selecting Run. Type "command" (without quotes) and click OK.

2. At the command prompt, type "shutdown -a" (without quotes). This effectively orders the computer to abort shutdown.

It works too! My other computer was infected, so I decided to try it out.

BTW, isn't there a bigger attack coming the 16th?
:comp: :comp: :comp: :comp:
Image
User avatar
Link Antilles
 
Posts: 2528
Joined: Mon Aug 11, 2003 4:00 am
Location: South Carolina


Return to General

Who is online

Users browsing this forum: No registered users and 216 guests