W32 Blaster Worm

http://www.cert.org/advisories/CA-2003-20.html ^ | CERT

[dfrussell]

This thing seems to be spreading quite quickly. If you're using MS and haven't verified your system, you should.

If you're not using a firewall, you should.

http://www.sygate.com will allow you to download and install a personal firewall -- it's easy to install.

Internet Security Systems (http://www.iss.net) has released a scan tool to check for the MS03-026 patch on Windows servers.

Location:

http://www.iss.net/support/product_utilities/ms03-026rpc.php

[Bikers4Bush]

It's a nasty one. Doesn't move via e-mails, can actually move from one computer to another on it's own once it has found a vulnerable pc through the net.

[Joe Hadenuf]

Does this specific virus affect windows ME operating systems?

[dfwgator]

And if you are a network administrator and you let this worm get through, you should start looking for another job.

[Bikers4Bush]

From what I know it doesn't. It was supposedly designed to specifically attack XP.

It couldn't hurt to check at the Microsquash website though.

[EagleMamaMT]

bump for later reading.

[Centurion2000]

The wonderful little bastard also seems to like the tftp service as a weak port.

We're covered at our location, but our morthship just got nailed with this thing a few hours ago. Thank God for firewalls.

-Proud firewall admin watching the lava break against my defenses.

[Bikers4Bush]

Maybe, maybe not. It's possible that it's being introduced from laptops that have been used offsite and then brought back to docking stations.

It's easy to tell folks to makes sure they load updates of virus scan programs, getting them to comply is another story.

[StatesEnemy]

SurferBeware

[antivenom]

No

[antivenom]

People don't do their microsoft updates...that was the fix available since mid July...

[FAB]

Microsoft Security Bulletin MS03-026

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Explanation of virus:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


Removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

[Bikers4Bush]

That too.

[dfwgator]

It's easy to tell folks to makes sure they load updates of virus scan programs, getting them to comply is another story.

I think firing a few of them for negligence will take care of that problem.

[Maigret]

I got this from our ISP this morning -

Early yesterday afternoon, a worm began spreading throughout the Internet. This worm, called the RPC worm causes infected computers running Windows 4.0, NT, 2000 or XP to reboot spontaneously. This worm is not spread through e-mail, but is a flaw in the Microsoft RPC code.

If your system is infected with the worm, you will get an error message like the following:

The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Time before shutdown: (counts down from 60 sec to 0). Windows must now restart because the Remote Procedure Call RPC) Service terminated unexpectedly.

You can find troubleshooting steps to rid your system of the worm posted at: http://www.trueband.net/msblast.html

[Bikers4Bush]

Now THAT would make a statement.

Unfortunately that would require blasting our entire sales force.

[b4its2late]

BTTT

[ErnBatavia]

Bump

[OXENinFLA]

Quick question for simpletons like me.....

How does one go about finding out if ones system has been infected?

[dfwgator]

Well I did say to only fire a few just to send a message.