Skip to comments.
New Virus hitting hard and furious!!!
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^
| 08/11/03
| self
Posted on 08/11/2003 2:33:46 PM PDT by STFrancis
All,
Here a scoop to Freepers which is just now hitting us security pro's.
There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.
It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11
A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
In other words we need to make sure port 4444 is blocked inbound AND outbound.
Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.
Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html
Just thought everyone ought to know.
Thanks...
TOPICS: Breaking News; News/Current Events; Technical
KEYWORDS: blaster; computer; firewall; internet; macuserlist; microsoft; msblast; techindex; virus; vulnerability; worm
Navigation: use the links below to view more comments.
first previous 1-20 ... 241-260, 261-280, 281-300, 301-308 next last
To: Lazamataz
SCO has an invoice for you. Thousands for ammunition, not one penny for tribute.
To: LynnHam
Just found MSBlast.exe in my registry. And what point in this process do you delete the file itself? And yes, I know to turn off system restore. Thank you.
262
posted on
08/12/2003 12:26:39 PM PDT
by
A Navy Vet
(Government is the problem, not the solution.)
To: STFrancis
Bookmarked
263
posted on
08/12/2003 12:29:22 PM PDT
by
Humidston
(Do not remove this tag under penalty of law)
To: qwertyz
Sorry--That should be www.spinrite.com or simply grc.com, not www.grc.com
264
posted on
08/12/2003 1:00:06 PM PDT
by
qwertyz
To: A Navy Vet; LynnHam; All
I actually found it in the HKEY_Users/S-1-5.../Software/Microsoft/Search Assistant/ACMru/5603 folder. Why would it show up here, and do I actually have it?
In the right pane it has...
Name:000
Type:REG_SZ
Data:MSBlast.exe
Does this just reflect a search I did for it or does it actually exist? Please help this computer moron.
265
posted on
08/12/2003 1:01:35 PM PDT
by
A Navy Vet
(Government is the problem, not the solution.)
To: Ted
I'm surprised at the number of darts thrown at you over your posts on this subject. Thanks for your support.
To: A Navy Vet; AppyPappy
Please see my post #265
267
posted on
08/12/2003 1:04:38 PM PDT
by
A Navy Vet
(Government is the problem, not the solution.)
To: LenS
Four others now.
Just heard on the radio that the Department of Motor Vehicles in Maryland has been shut down by this virus.
You will get your newspapers and magazines though, because most publishing operations use Mac.
268
posted on
08/12/2003 1:05:02 PM PDT
by
billhilly
(No monument has been erected to a cynic)
To: A Navy Vet
Yes you have it. The fix is listed somewhere in this thread. It's long and fairly involved. I can freepmail it to you. In the meantime, do this:
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.
269
posted on
08/12/2003 1:28:03 PM PDT
by
AppyPappy
(If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
To: A Navy Vet
The virus is on your machine.
Best thing to do is to go to www.symantec.com and download FIXBLAST.exe.
Execute it on your local machine and e-voila... all clean...
I knew when I first saw that sucker yesterday that it would be HUGE!!!
To: AppyPappy
""windows auto update"="msblast.exe"
It isn't there, and I haven't been experiencing any problems, either. I think what I'm seeing is just the my own search entry when I entered "find" in the Registry Editor. It sits in the Search Assistant folder in Hkey_Users main folder. There are some other entries in the Search Assistant folder I recognize as having "searched" for. I've already downloaded the patch according to the instructions.
271
posted on
08/12/2003 2:10:15 PM PDT
by
A Navy Vet
(Government is the problem, not the solution.)
To: A Navy Vet
You are probably right. If it's not in that location, you should be OK.
272
posted on
08/12/2003 2:14:25 PM PDT
by
AppyPappy
(If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
To: A Navy Vet
Sorry, I didn't read the whole reg key. You are right, it's just in your search criteria... As long as it is not under HKLM/Software/Microsoft/windows/run you should be fine.
To: STFrancis
HKLM/Software/Microsoft/windows/currentversion/run of course.
To: STFrancis; AppyPappy
Thanks guys/gals? I ran Symantec fixblast anyway - no worm found. And updated my Norton and the MS patch. Good luck to everyone with this sneaky little bugger. BTW, Norton did a good job of catching Bugbear that was going around, twice.
I have noticed the Web seems a little slow today. I have cable. Maybe it's just FR.
275
posted on
08/12/2003 2:54:29 PM PDT
by
A Navy Vet
(Government is the problem, not the solution.)
To: A Navy Vet
I believe that it just represents the search. If it is not on your hard drive you are OK.
276
posted on
08/12/2003 2:58:33 PM PDT
by
w1andsodidwe
(recycling is a waste of time for hardworking taxpayers, hire the homeless to sort garbage)
To: Tamsey
bttt
277
posted on
08/12/2003 3:06:14 PM PDT
by
Brad’s Gramma
(fREE rEPUBLIC iS nOT aDDICTIVE, fREE rEPUBLIC iS nOT aDDICTIVE, fREE rEPUBLIC iS nOT aDDICTIVE, fREE)
To: Iowa Granny
Ah!
The true evil genius of the worm. It restarts the system in less time than the patch can be downloaded on dialup.
Sneaky!
I can't help but wonder if it came from a high speed interconnect company...
To: GigaDittos
You're not picked on because you're (MAC) an insignificant target. How many PCs in the world vs Macs? Ya know what?
I don't care why I'm not picked on.
I do care that I'm not picked on...
279
posted on
08/12/2003 3:18:38 PM PDT
by
null and void
(Doc? It hurts every time I do this...)
To: diotima
a magnificent person on FR helped me outWith the caliber of the typical FReeper, that doesn't narrow it down much...
Navigation: use the links below to view more comments.
first previous 1-20 ... 241-260, 261-280, 281-300, 301-308 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson