Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New Virus hitting hard and furious!!!
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

Posted on 08/11/2003 2:33:46 PM PDT by STFrancis

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...


TOPICS: Breaking News; News/Current Events; Technical
KEYWORDS: blaster; computer; firewall; internet; macuserlist; microsoft; msblast; techindex; virus; vulnerability; worm
Navigation: use the links below to view more comments.
first 1-5051-100101-150151-200 ... 301-308 next last

1 posted on 08/11/2003 2:33:46 PM PDT by STFrancis
[ Post Reply | Private Reply | View Replies]

To: STFrancis
Thanks I am on it.!!!!!
2 posted on 08/11/2003 2:35:56 PM PDT by CHICAGOFARMER (Citizen Carry)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Sounds bad.
3 posted on 08/11/2003 2:37:21 PM PDT by cmsgop (If you Spinkle When You Tinkle,...Be a Sweetie and Wipe the Seatie......)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Bump for IT folks !
4 posted on 08/11/2003 2:38:00 PM PDT by Ben Bolt
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Symantec link did not come thu right: http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
5 posted on 08/11/2003 2:38:25 PM PDT by STFrancis
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
thanks!
6 posted on 08/11/2003 2:39:27 PM PDT by countrydummy
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
From my focus-virus list this nugget:

message follows...
*****
i've just got a copy of this Windows DCOM Worm from a nice fellow on another
list.

it matches the MD5 at http://isc.sans.org/diary.html?date=2003-08-11 of
5ae700c1dffb00cef492844a4db6cd69. that's the EXE's MD5, not the unpacked
EXE version or the MD5 of the ZIP i received it in. i have not launched it
yet, but i did note it made its way past three layers of virus protection
without being detected.

yes, we do use the same AV for all parts of our network, but that's 'cause
we're a small company with limited resources. so don't bitch at me about
it. :)

we've got NAV Corporate 8.00.0.9374 with scan engine 4.1.0.15 and
definitions of 06/08/2003 rev. 4 (the most current at this time) and it is
not detected.

****
7 posted on 08/11/2003 2:40:48 PM PDT by STFrancis
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis; *tech_index; Salo; MizSterious; shadowman99; Sparta; freedom9; martin_fierro; ...
Thanks!

OFFICIAL BUMP(TOPIC)LIST

8 posted on 08/11/2003 2:45:25 PM PDT by Ernest_at_the_Beach (All we need from a Governor is a VETO PEN!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
BTTT...thanks for the info!!
9 posted on 08/11/2003 2:49:15 PM PDT by Bradís Gramma (fREE rEPUBLIC iS nOT aDDICTIVE, fREE rEPUBLIC iS nOT aDDICTIVE, fREE rEPUBLIC iS nOT aDDICTIVE, fREE)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Thanks for the heads-up!
10 posted on 08/11/2003 2:56:09 PM PDT by petuniasevan (Cat toys: Anything not nailed down, and some that are.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
OH MY GOD!!!!!!! Another virus!!!! What do I do?!?!?!?!? Oh wait, I have a Mac. Nevermind.
11 posted on 08/11/2003 3:00:34 PM PDT by SengirV
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
New Virus hitting hard and furious!!!

You really should have included the word computer in the title......I thought my ex-wife was on the loose again.

12 posted on 08/11/2003 3:05:39 PM PDT by Focault's Pendulum
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
I just finished cleaning my computer of this stupid virus. What a P.I.T.A. that was.
13 posted on 08/11/2003 3:08:11 PM PDT by ironwill
[ Post Reply | Private Reply | To 1 | View Replies]

To: SengirV
It's a good thing that you use a computer that only five other people use.


*weg*
14 posted on 08/11/2003 3:09:25 PM PDT by LenS
[ Post Reply | Private Reply | To 11 | View Replies]

To: STFrancis
Thanks. Saint Francis pulls through again.
15 posted on 08/11/2003 3:16:02 PM PDT by LurkedLongEnough
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
OK. Can someone translate this to a techno-idiot? Can I search for a file or something? Should I install the patch from MS? Will this require duct tape and my old cans of Spam?
16 posted on 08/11/2003 3:17:09 PM PDT by myprecious
[ Post Reply | Private Reply | To 7 | View Replies]

To: STFrancis
here's the fix for it
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability


A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.
This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593.



Resolution for Windows XP
Shut down PC
Unplug Cable Modem.
Start up PC
Click Start -> Settings -> Control Panel
Double Click Network Connections
Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
Select Properties
Click the Advanced Tab
Enable the Windows XP Firewall
Click OK, Close out of open windows.
Plug in the Cable Modem.
Ensure Block Sync is established.
Open Internet Explorer
Go to the following URL: http://www.microsoft.com/technet/default.asp
Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
Scroll Down Page about half way to Patch Availability
Click Windows XP 32 bit Edition
Click Download in the upper right of the screen.
Save the file to the desktop
Run the downloaded file.
The patch will install and prompt the customer to reboot.
Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled and the customer can surf normally.
Temporary Resolution for Windows 2000 Users
Have them go to http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe and install the file from there. URL is not case sensitive.
17 posted on 08/11/2003 3:20:21 PM PDT by LynnHam
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Odd, port 4444 is the port that AdSubtract uses.

AdSubtract is a popular program for removing ads, pop-ups, sound, ect from your surfing.

18 posted on 08/11/2003 3:21:21 PM PDT by LowOiL (Jesus Christ offers more that a thrill ride..)
[ Post Reply | Private Reply | To 1 | View Replies]

To: myprecious
Never, I repeat NEVER, use duct tape. It leaves fingerprints. The old can of Spam OTOH....
19 posted on 08/11/2003 3:23:26 PM PDT by FourPeas
[ Post Reply | Private Reply | To 16 | View Replies]

To: STFrancis
Yup. Mr. FourPeas is working fast and furious. What a nice 'welcome home' on his first day back from vacation.
20 posted on 08/11/2003 3:24:18 PM PDT by FourPeas
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Don't forget the additional patch MS-030. That's nasty too.

21 posted on 08/11/2003 3:26:25 PM PDT by Centurion2000 (We are crushing our enemies, seeing him driven before us and hearing the lamentations of the liberal)
[ Post Reply | Private Reply | To 1 | View Replies]

To: John Robinson; B Knotts; stainlessbanner; TechJunkYard; ShadowAce; Knitebane; AppyPappy; jae471; ...
The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

22 posted on 08/11/2003 3:26:30 PM PDT by rdb3 (I'm not a complete idiot. Several parts are missing.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Thanks for the warning. Got my update from Norton.
23 posted on 08/11/2003 3:32:11 PM PDT by Cyber Liberty (© 2003, Ravin' Lunatic since 4/98)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Cyber Liberty
bookmarking
24 posted on 08/11/2003 3:39:28 PM PDT by Iowa Granny
[ Post Reply | Private Reply | To 23 | View Replies]

To: LenS
***It's a good thing that you use a computer that only five other people use. ***

Nope! Make that six. I switched from Windows to Mac a few months ago.


25 posted on 08/11/2003 3:42:50 PM PDT by kitkat
[ Post Reply | Private Reply | To 14 | View Replies]

To: STFrancis
Re: port 4444. UDP, TCP or other?
26 posted on 08/11/2003 3:43:53 PM PDT by LibKill (The sacred word, TANSTAAFL.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: kitkat
Nope! Make that six. I switched from Windows to Mac a few months ago.

Seven. Powerbook G4, here. Fantastic piece of hardware.

27 posted on 08/11/2003 3:45:48 PM PDT by ThinkPlease (Fortune Favors the Bold!)
[ Post Reply | Private Reply | To 25 | View Replies]

To: LenS
It's a good thing that you use a computer that only five other people use.

I've got root, dualies and a G5 in my sights as soon as I can get my paws on one.

28 posted on 08/11/2003 3:48:11 PM PDT by Glenn (What were you thinking, Al?)
[ Post Reply | Private Reply | To 14 | View Replies]

To: STFrancis
AP is now reporting on this...

Internet infection that drew gov't warnings spreading rapidly

TED BRIDIS, AP Technology Writer
Monday, August 11, 2003

(08-11) 15:35 PDT WASHINGTON (AP) --

A virus-like infection that was the subject of urgent U.S. government and industry warnings spread rapidly Monday across the Internet, causing computers to mysteriously restart and coordinating an electronic attack against Microsoft Corp.

Security experts said the infection, which exploits an unusually dangerous flaw in Windows software, wasn't yet seriously disrupting Internet traffic but posed that risk as it was expected to continue spreading quickly overnight.

Researchers discovered it about 3 p.m. EDT, and reported tens of thousands of infected computers inside universities, businesses and homes.

"It seems to be taking off fairly quickly," said Johannes Ullrich of Boston, who runs the D-Shield network of computer monitors.

Infected computers were programmed to automatically launch an attack on a Web site operated by Microsoft on Saturday. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent against these types of infections.

Microsoft offers a free patch on the Web site to protect Windows users.

The infection was quickly dubbed "LovSan" because of a love note left behind on vulnerable computers: "I just want to say LOVE YOU SAN!" Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!"

Government and industry experts have anticipated such an outbreak since July 16, when Microsoft acknowledged that the flaw affected nearly all versions of its flagship Windows operating system software.

"It's much too early to expect to see any (Internet slowdowns) whatsoever," said Vincent Gullotto, a vice president at Network Associates Inc. "It really depends on how much it spreads."

The Microsoft flaw affects Windows technology used to share data files across computer networks. It involves a category of vulnerabilities known as "buffer overflows," which can trick software into accepting dangerous commands.


On the Net:

Network Associates: vil.nai.com/vil/content/v_100547.htm

Symantec: www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Microsoft warning: www.microsoft.com/security/security_bulletins/ms03-026.asp

Government warning: www.nipc.gov/warnings/advisories/2003/Potential7302003.htm


29 posted on 08/11/2003 3:49:34 PM PDT by Brian S
[ Post Reply | Private Reply | To 1 | View Replies]

To: myprecious
go to:

http://v4.windowsupdate.microsoft.com/en/default.asp

if you want easy updating of all sorts of patches, etc...
30 posted on 08/11/2003 3:50:47 PM PDT by Britton J Wingfield (TANSTAAFL)
[ Post Reply | Private Reply | To 16 | View Replies]

To: STFrancis
"In other words we need to make sure port 4444 is blocked inbound AND outbound. "


--

Thanks for posting this. I did it just as soon as I read your post.
31 posted on 08/11/2003 3:51:47 PM PDT by FairOpinion
[ Post Reply | Private Reply | To 1 | View Replies]

To: LenS
It's a good thing that you use a computer that only five other people use.

Good to know there are at least five of us smart people in the world!!!!!!

PS I just got a PC last month, and Windows is clunky! And slow. You guys don't know what you are missing, but we aren't gonna tell ya.

32 posted on 08/11/2003 3:55:10 PM PDT by christie (http://www.clintonlegacycookbook.com)
[ Post Reply | Private Reply | To 14 | View Replies]

To: SengirV
Oh that's REAL funny.
My Mac just died and I was pursuaded to buy a PC.
Frankly, it sucks, but I'm on a tight budget and we got the PC on the cheap. And yes, it's NEW, but it still sucks.
If I had my 'druthers, I'd own a PC and a Mac.

I'm lusting after the new PowerMac G5 (sweeeet)
33 posted on 08/11/2003 3:56:40 PM PDT by brewer1516
[ Post Reply | Private Reply | To 11 | View Replies]

To: SengirV
What do I do?!?!?!?!? Oh wait, I have a Mac. Nevermind.

Did you know that there were vulnerabilities in Mac OS X where by someone could actually get root access to you system? After 6 months or more of complaining, Apple finally decided to address some of these issues. The Apple folks may know hardware, but are way behind the curve on UNIX. If you really want UNIX, go with a vendor that specializes in it.

34 posted on 08/11/2003 3:57:51 PM PDT by MrsEmmaPeel
[ Post Reply | Private Reply | To 11 | View Replies]

Comment #35 Removed by Moderator

To: MrsEmmaPeel
Did you know that there were vulnerabilities in Mac OS X where by someone could actually get root access to you system? After 6 months or more of complaining, Apple finally decided to address some of these issues.

Source please. I'm not aware of any remote root exploits for Mac OS X, and certainly not one that was known and unpatched for 6 months.

36 posted on 08/11/2003 4:02:59 PM PDT by ThinkDifferent
[ Post Reply | Private Reply | To 34 | View Replies]

To: ThinkDifferent
Source please. I'm not aware of any remote root exploits for Mac OS X,

CERT's a good place to start. The problem with Apple's answers on CERT is that APPLE will usually say: "does not effect us"-- which is complete bull, thereby highlighting their own ignornace. The Apple folk just don't know UNIX.

37 posted on 08/11/2003 4:06:41 PM PDT by MrsEmmaPeel
[ Post Reply | Private Reply | To 36 | View Replies]

To: MrsEmmaPeel
CERT's a good place to start. The problem with Apple's answers on CERT is that APPLE will usually say: "does not effect us"-- which is complete bull, thereby highlighting their own ignornace.

Ok, what is a specific example of this?

38 posted on 08/11/2003 4:15:32 PM PDT by ThinkDifferent
[ Post Reply | Private Reply | To 37 | View Replies]

To: STFrancis
When they start attacking Linux THEN I will worry, I am SOOOOOO glad I dumped windows.

39 posted on 08/11/2003 4:16:13 PM PDT by amigatec (There are no significant bugs in our software... Maybe you're not using it properly.- Bill Gates)
[ Post Reply | Private Reply | To 1 | View Replies]

To: STFrancis
Does it affect Win98 users?
40 posted on 08/11/2003 4:19:24 PM PDT by GoldMan (antidistablishmentarianism is a long word.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ThinkDifferent
Ok, what is a specific example of this?

We've been down this road before. Read my past postings to you on these same questions. Read the CERT Advisory. Read Apple's bug list. Apple doesn't know UNIX.

41 posted on 08/11/2003 4:20:13 PM PDT by MrsEmmaPeel
[ Post Reply | Private Reply | To 38 | View Replies]

To: christie
More than that - I got a g4 along with my windows/linux/netware/bsd boxes. Great machine. I also have a pix firewall and keep every port blocked I don't need. If you have and unpatched system and those ports open, you deserve this virus.
42 posted on 08/11/2003 4:21:38 PM PDT by Salo
[ Post Reply | Private Reply | To 32 | View Replies]

To: MrsEmmaPeel
We've been down this road before.

Yes, we have, and you were equally evasive then.

Read the CERT Advisory. Read Apple's bug list. Apple doesn't know UNIX.

Surely with such a mountain of evidence you could provide a single URL.

43 posted on 08/11/2003 4:22:44 PM PDT by ThinkDifferent
[ Post Reply | Private Reply | To 41 | View Replies]

To: ThinkDifferent
CERT = www.cert.org SEARCH on "MAC OS X"
I'm sorry you didn't know that. Everyone who has anything to do with security should be getting the CERT Security digest.

APPLE = www.apple.com APPLE has their own security mailing list. You may want to subscribe to this as well.

44 posted on 08/11/2003 4:27:38 PM PDT by MrsEmmaPeel
[ Post Reply | Private Reply | To 43 | View Replies]

To: SengirV
OH MY GOD!!!!!!! Another virus!!!! What do I do?!?!?!?!? Oh wait, I have a Mac. Nevermind.

Yeah - as long as you are obscure, no one will bother you so don't worry.

45 posted on 08/11/2003 4:28:49 PM PDT by HairOfTheDog (And whither then? I cannot say)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Salo
Just to give an idea of how these viruses cost businesses money.

Here at our 800 bed hospital. This virus started today on a single PC, probably thru an email attachment. This PC in turn, via the RPC vulnerability, infected Windows Servers running the Patient Clinical Information System. This resulted in the Clinical system being down for several hours. I wish the author of the virus was here waiting for a lab result to identify a deadly illness.

Q:Why weren't the Windows Servers properly patched?
A: Because the software vendor has only tested the code on an earlier Service Pack version and will not support servers with the patch!
46 posted on 08/11/2003 4:29:03 PM PDT by AngryAmerican
[ Post Reply | Private Reply | To 42 | View Replies]

To: MrsEmmaPeel
Did you know that there were vulnerabilities in Mac OS X where by someone could actually get root access to you system?

Yeah, provided you could get your hands on the actual machine in question. ANY security expert would tell you that if you allow an unauthorized person to have physical access to your machine, you are by definition nonsecure.

47 posted on 08/11/2003 4:29:57 PM PDT by SengirV
[ Post Reply | Private Reply | To 34 | View Replies]

To: Brian S
The Microsoft flaw affects Windows technology used to share data files across computer networks.

Does this mean it woon't spread to those of us who do not work on networks? Also, I only surf on AOL...will I be safe? Hope so, because any virus sends me and my puter down to the local whiz at $65/hour....totally incapable of doing anything technical myself. I have Norton. Will Norton get it before it gets me?

I was infected by BadTrans awhile back....before I got Norton. Nasty! It came in a private email from a freeper's private email to my aol address, come to think of it

48 posted on 08/11/2003 4:32:45 PM PDT by PoisedWoman (Fed up with the CORRUPT liberal media)
[ Post Reply | Private Reply | To 29 | View Replies]

To: SengirV
ANY security expert would tell you that if you allow an unauthorized person to have physical access to your machine, you are by definition nonsecure.

No it was to do with an outsider getting a shell command on your system and running your computer as root. WAKE UP! Mac OS X has UNIX underneath!

49 posted on 08/11/2003 4:34:36 PM PDT by MrsEmmaPeel
[ Post Reply | Private Reply | To 47 | View Replies]

To: MrsEmmaPeel
Ok, so you have no interest in supporting your assertions. Fine with me.
50 posted on 08/11/2003 4:38:20 PM PDT by ThinkDifferent
[ Post Reply | Private Reply | To 44 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-100101-150151-200 ... 301-308 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson