New Virus hitting hard and furious!!!

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

[STFrancis]

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...

[dfwgator]

I have XP and ZoneAlarm. No probs.

[=Intervention=]

And MrsEmmaPeel keeps making unsupported statements...yawn...nothing new to see here.

[AxelPaulsenJr]

Thank you so much. I know that this will help much. My wife is gonna kill me if I don't get our home pc up and running. We just got it two weeks ago and this virus struck last night.

[cashion]

IIRC, this exploit affects all versions of Windows dating back to Win95, except for Windows Millenium. I think they got it right this time, unless I'm thinking of one of the other dozens of remote exploits for Microsoft OSes.

I looked again. It may be that the exploit itself doesn't affect the various releases of Win95 and Win98, though the RPC vulnerability in question wasn't exactly made clear by Microsoft. I'm wondering why they would specify Windows Millennium but not mention Win98 SE.

[js1138]

ZoneAlarm is not the only way to go. Netgear makes a great firewall/router for under $90, print server included.

I have three home computers and a printer hooked to one. All the security test sites say I am invisible. Quoting from thir propaganda:

This true firewall is broadband-capable, and provides you with the utmost in business class security – Denial of Service (DoS) protection and Intrusion Detection using Stateful Packet Inspection (SPI), URL access and content filtering, logging, reporting, and real-time alerts. VPN pass-through maximizes network security with access control and encryption. And a built-in print server removes the bottleneck of a dedicated PC print server and supports multiple print jobs simultaneously.

The really neat thing is I can swap computers, hook up the kid's when they're home from college, all without worrying about software.

[Tamzee]

I've been struggling with the same problem for 2 days, finally figured it out last night and tried to download the patch repeatedly. I finally was able to save the patch and get it into place and now my system is running beautifully again.

Thanks for everyone's advice and expertise on this thread, my problem was solved but it really helps to understand what was happening :-)

[Truth666]

This means that people wiht knowledge about this hole

have been able to spy you

since Windows 2000 and Windows XP were released.
For some reason the canadian that exposed the hole 3 weeks ago prefered to remain anonymous ...

[MrsEmmaPeel]

Of course Apple doesn't know UNIX -- they just make an OS that uses it...hmm. Your hyperbole and bias is showing.

I was developer of Apple since 1989. Finally gave up when Apple ceased making any improvements. Apple had the potential for being a really, really great system. The basis of Mac OS X, is really Mach, and Apple needs to capitalize on that, but they never did. Mach allowed for concurrent OSs - the limitaion is just the hardware. In the early Apple Mac OS X beta, Mac OS 9 was in a separate window. Apple descided to scrub that - never understood why. But is theoretically possible to have multiple concurrent OSs on an Apple machine - Dos - Windows - X, BSD, OS 9 etc .. Apple never followed through. Also, Apple never followed through on important security issues. The problem with most Mac people just don't want to take the time to learn UNIX, so they remain ignorant as to the vulnerabilities of their system.

Whether you believe me or not, I don't care. Whether you believe that UNIX has vulnerabilities, I don't care.

I think this ostrich syndrom is probably why Apple is only at 3% of the market, and Linux is overtaking Apple in many areas. (Law of unintended consequences: Linux was born to take on Windows, and so many of the smaller companies and competitors have been out paced by Linux.)

I'm not a fan of any system - just a realist. And when a Mac person tries to claim that they are immune, I just laugh.

[dansangel]

Hey eyespy....

I'm a bit surprised at .45MAN's company. I called our head techie at my company who said that we got the Sophos update for that particular worm this week. .45MAN's company is a high-tech firm that does a lot of government work.

He just left me a message and said they have to go computer to computer to fix it.

"Eek what a mess" is right!

[GOPJ]

bump

[Howlin]

Jeff, about that fixblast.exe fix from Symantec, do you have to have the virus software to run that thing???

[GOPJ]

day bump

[js1138]

Symantec offers a bunch of targeted virus fixers for free. Most will run from DOS mode in case you maching is too hosed to boot Windows. The only catch is you have to know the name of the virus and be able to download the fix.

They save my butt from klez a few months ago.

[Kozak]

OH MY GOD!!!!!!! Another virus!!!! What do I do?!?!?!?!? Oh wait, I have a Mac. Nevermind.

Yeah lucky you Apple's market share is too small for anyone to bother. ;-0

[Born Conservative]

It appears that this is a "stand alone" and you do not need NAV to run it. Check here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

I will say that they are correct in urging you to stop "system restore" before removing this. I had a virus the other day (first in a long time) that I tried to delete using NAV, but couldn't because of system restore. Once I disabled system restore and booted into safe mode, I was able to get rid of it. Good luck!

[FourtySeven]

Home use, thanks.

[FourtySeven]

Useful info, thanks.

[Howlin]

My niece has this worm on her Compaq laptop. She has downloaded the security patch, disabled the system restore, run the fixblast.exe (which said the program was terminated), enbabled system restore and then rebooted.

When she did a search, she STILL has MSblast.exe (2 of them, in fact, one modified at 12:15 PM EST) on her hard drive.......any ideas????

[Ted]

I'm surprised at the number of darts thrown at you over your posts on this subject. I have consulted many times with Fortune 500 companies for a leading information security company, and can only agree with you 100%. Anybody who thinks OS X, Unix, Windows, or any other OS is basically safe out of the box is naive.

Regards.

[Knitebane]

The patch is for Windows NT 4.0 Server and Windows NT 4.0 Terminal Services.

There is not an explicitly issued patch for Windows NT 4.0 Workstation or for Small Business Server, both of which are vulnerable but not listed as being so. They haven't been listed because they are no longer supported. One must be very careful about reading Microsoft's tech bulletins.

It is my understanding that the NT 4.0 Server patch will work on 4.0 Workstation. I have heard this from people whom I believe to be competant, but I haven't seen it with my own eyes. I haven't heard anything at all about SBS.