New Virus hitting hard and furious!!!

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html ^ | 08/11/03 | self

[STFrancis]

All,

Here a scoop to Freepers which is just now hitting us security pro's.

There is a first vulnerability that uses the MS Bug that MS addressed with MS 03-026 two weeks ago.

It is calling itself MSBLAST.exe and is spreading in the wild unbelievably fast. http://isc.sans.org/diary.html?date=2003-08-11

A first advisory from McAffee has just been published: http://us.mcafee.com/virusInfo/defa...&virus_k=100547 Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

In other words we need to make sure port 4444 is blocked inbound AND outbound.

Of course this is in addition to the MS03-026 patch being installed which Microsoft released two weeks ago (more info regarding the patch here: http://www.microsoft.com/technet/tr...n/MS03-026.asp.

Another advisory was JUST posted by Symantec: http://www.symantec.com/avcenter/ve...aster.worm.html

Just thought everyone ought to know.

Thanks...

[Knitebane]

SCO has an invoice for you.

Thousands for ammunition, not one penny for tribute.

[A Navy Vet]

Just found MSBlast.exe in my registry. And what point in this process do you delete the file itself? And yes, I know to turn off system restore. Thank you.

[Humidston]

Bookmarked

[qwertyz]

Sorry--That should be www.spinrite.com or simply grc.com, not www.grc.com

[A Navy Vet]

I actually found it in the HKEY_Users/S-1-5.../Software/Microsoft/Search Assistant/ACMru/5603 folder. Why would it show up here, and do I actually have it?

In the right pane it has...
Name:000
Type:REG_SZ
Data:MSBlast.exe

Does this just reflect a search I did for it or does it actually exist? Please help this computer moron.

[MrsEmmaPeel]

I'm surprised at the number of darts thrown at you over your posts on this subject. Thanks for your support.

[A Navy Vet]

Please see my post #265

[billhilly]

Four others now.

Just heard on the radio that the Department of Motor Vehicles in Maryland has been shut down by this virus.

You will get your newspapers and magazines though, because most publishing operations use Mac.

[AppyPappy]

Yes you have it. The fix is listed somewhere in this thread. It's long and fairly involved. I can freepmail it to you. In the meantime, do this:

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)


Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"windows auto update"="msblast.exe"


Exit the Registry Editor.

[STFrancis]

The virus is on your machine.

Best thing to do is to go to www.symantec.com and download FIXBLAST.exe.

Execute it on your local machine and e-voila... all clean...

I knew when I first saw that sucker yesterday that it would be HUGE!!!

[A Navy Vet]

""windows auto update"="msblast.exe"

It isn't there, and I haven't been experiencing any problems, either. I think what I'm seeing is just the my own search entry when I entered "find" in the Registry Editor. It sits in the Search Assistant folder in Hkey_Users main folder. There are some other entries in the Search Assistant folder I recognize as having "searched" for. I've already downloaded the patch according to the instructions.

[AppyPappy]

You are probably right. If it's not in that location, you should be OK.

[STFrancis]

Sorry, I didn't read the whole reg key. You are right, it's just in your search criteria... As long as it is not under HKLM/Software/Microsoft/windows/run you should be fine.

[STFrancis]

HKLM/Software/Microsoft/windows/currentversion/run of course.

[A Navy Vet]

Thanks guys/gals? I ran Symantec fixblast anyway - no worm found. And updated my Norton and the MS patch. Good luck to everyone with this sneaky little bugger. BTW, Norton did a good job of catching Bugbear that was going around, twice.

I have noticed the Web seems a little slow today. I have cable. Maybe it's just FR.

[w1andsodidwe]

I believe that it just represents the search. If it is not on your hard drive you are OK.

[Brad’s Gramma]

bttt

[null and void]

Ah!

The true evil genius of the worm. It restarts the system in less time than the patch can be downloaded on dialup.

Sneaky!

I can't help but wonder if it came from a high speed interconnect company...

[null and void]

You're not picked on because you're (MAC) an insignificant target. How many PCs in the world vs Macs?

Ya know what?

I don't care why I'm not picked on.

I do care that I'm not picked on...

[null and void]

a magnificent person on FR helped me out

With the caliber of the typical FReeper, that doesn't narrow it down much...