New Worm Installs Patches - new worm takes trys to repair systems infected by Blaster Worm

CRN ^ | 08/18/03 | Marcia Savage

[bedolido]

A new worm takes a different twist by trying to repair systems infected by Blaster and patch the vulnerability it exploits, antivirus vendors said Monday.

The worm, called Nachi or MSBlast.D, tries to delete Blaster from some infected systems and install patches, according to Trend Micro. Last week's Blaster worm, also called MSBlast and Lovsan, infected hundreds of thousands of systems by exploiting a Remote Procedure Call (RPC) flaw in Microsoft Windows.

Nachi exploits the same flaw but can delete the MSBlast.exe file left by Blaster on machines running Windows 2000 and Windows XP and download Microsoft patches to fix the flaw, according to Trend Micro.

The company rated the new worm as a medium risk. Computer Associates ranked the worm as medium-on-watch, while Network Associates called it a medium risk.

"Some may call this a good virus, but it can cause all sorts of problems when patches are applied to a computer unbeknownst to the administrator of that computer," said Ken Dunham, malicious code intelligence manager at iDefense, said in an alert issued Monday.

[Knitebane]

How bad does it have to get before even the worm writers take pity on you?

[mrsmith]

I hope it works.

I'm getting 300 - 400 attempts on my port 135 in an hour!
I guess it's worse for those with broadband.

[bedolido]

How bad does it have to get before even the worm writers take pity on you?

I tried to rewrite the title line and forgot to proff read it...lol. I hope he takes pity on me asap.

[LibWhacker]

Some may call this a good virus, but . . .

Right! Whoever wrote this one . . . Thanks, but no thanks. I don't want 50,000 good viruses on my computer doing battle with 50,000 bad viruses.

[livius]

Interesting. I just saw this flit by on some IT site.

Do you think this might be a (gasp!) creative thought about healing/resolving virus issues? Personally, I think this is the only way to do it.

If you have a bad virus, you send out a "good" virus to track it down.

One of the problems is that our network has a ton of individual users who never update anything and have absolutely no protection against viruses, data theft, you name it. We also have many cheap corporate users who simply don't understand the need to be on top of these things.

Maybe a "repair" virus could be a real solution. If you don't want it (or the thing it's repairing), then protect your system. Otherwise, get repaired.

I do hope they put up a help site for computer professionals who are going to need who to assist people/companies with strangely configured systems who may be put out of operation by the repair, though.

[freedomcrusader]

...takes a different twist by trying to repair systems infected by Blaster and patch the vulnerability it exploits

Does it succeed? If so, how often?

[freedomcrusader]

Oh, and could this be the guilty conscience of the person who authored the Blaster worm in the first place?

[Paleo Conservative]

I'm getting 300 - 400 attempts on my port 135 in an hour! I guess it's worse for those with broadband.

Definitely. I have used ISDN at work from 1997 to 2000, and DSL from summer 2000 till the present. anyone with a broadband internet connection is a prime target for hackers. You need to get a firewall like Zone Alarm (Zone Alarm is free for personal use) or Norton Firewall or a router with built in firewall. One big advantage for people who connect to the internet via broadband is that the virus updates, operating system patches, and service packs are much easier and quicker to download.

[Paleo Conservative]

I'm getting 300 - 400 attempts on my port 135 in an hour! I guess it's worse for those with broadband.

Definitely. I have used ISDN at work from 1997 to 2000, and DSL from summer 2000 till the present. anyone with a broadband internet connection is a prime target for hackers. You need to get a firewall like Zone Alarm (Zone Alarm is free for personal use) or Norton Firewall or a router with built in firewall. One big advantage for people who connect to the internet via broadband is that the virus updates, operating system patches, and service packs are much easier and quicker to download.

[thoughtomator]

More likely a desperate attempt by Microsoft to limit the damage.

[Paleo Conservative]

I'm getting 300 - 400 attempts on my port 135 in an hour! I guess it's worse for those with broadband.

Definitely. I have used ISDN at work from 1997 to 2000, and DSL from summer 2000 till the present. anyone with a broadband internet connection is a prime target for hackers. You need to get a firewall like Zone Alarm (Zone Alarm is free for personal use) or Norton Firewall or a router with built in firewall. One big advantage for people who connect to the internet via broadband is that the virus updates, operating system patches, and service packs are much easier and quicker to download.

[mrsmith]

I have zonealarm on my dial-up. That's how I know I'm getting all these attempts.

[Flying Circus]

My girlfriend is getting hit a similar rate with her dial up as you are. On my T1, Zone Alarm has only logged 6 attempts since this thing started last week.

[Graewoulf]

Ping.

[Liz]

Did you get hit?

[SSN558]

I guess it's worse for those with broadband.

It's not a s bad as you think. I just installed ADSL last week. With Zone alarm installed you can block and then report the attempted port scan in minutes. They will diminish in frequency as you report them, most are from the same source.

Here's a good tip, I need to pass on to MicroSoft, maybe other FR users have noticed it. CFS III, Combat Flight Simulator is infected with something that the MS patches can not fix. The first symptom is many port scans while this software is running. The other symptom is replacement of the left hand airspeed indicator, with a redundant climb meter.

[cake_crumb]

"I'm getting 300 - 400 attempts on my port 135 in an hour!"

I haven't gotten any in days. This wouldn't have been possible if MS weren't so sloppy with their code, let every country in the Western Hemisphere study the code for their Server 2000 software and put out oly a tiny, limp wristed link tot he patch on their site. This has happened with MS before. They DO NOT go out of their way to notify users of a security hole. The best plse to get these warnings is the FBI.

I spent two solid days last week helping almost hyysterical users get the thing out of their system.

Note to MS users: download updates regularly! Not once...but once a MONTH. Run anti-virus software and keep your virus defs updated! Use a good, personal firwall!

[cake_crumb]

Uh...make that EASTERN hemisphere.

[mrsmith]

Well how do I report them?

I would like to tell them they have the worm.

I can "whois" them, but AFAIK there isn't any way for a dial-up like me to contact them.