|
 |
|
 |
| Tuesday, September 07, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
7 |
 |
Members:
0 |
 |
Total:
7 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 08/12/2003 2:23 PM |
|
| What it is
There is a worm (dubbed the Blaster.w32 worm by Symantec and LoveSan by McAfee), spreading rapidly across the internet, that exploits the DCOM vulnerability we've warned folks twice about. If you haven't patched yet and you're not behind a firewall - it could be too late. The anti-virus makers are running around like crazy trying to debug this and get signatures updated, so far both Symantec and McAfee have updated their signatures, new ones are available immediately.
If your machine is on the internet without a firewall it could be infected if not properly updated with security updates. A properly configured personal firewall such as Zonealarm or a hardware firewall such as a Linksys firewall will protect you from this type of worm.
If the worm infects you, it spreads by adding itself to the RUN key in your registry ("Windows auto update"="msblast.exe"). The next time you reboot - you'll have this worm running on your system if you're not properly patched up. Once running, the worm will scan other machines to try to infect them, causing slowdowns on the web, email and on your network. Note that such a worm, as it spreads, tends to slow down EVERYONE's Internet access because of the traffic it generates.
What to do
If you're not yet infected, be sure you've updated your system for the DCOM vulnerability using Windows Update. In addition, be sure that you have some sort of firewall (either a personal firewall, or a hardware one) isolating your computer from the internet at large. Update your virus signatures ASAP, and do so frequently during the next several days. Usually the release of one virus into the wild generates a series of copycat viruses directly modified on the first one - some with much more dangerous payloads.
If you are infected follow the directions at Symantec's site (listed below) for removal - this one is fairly simple to remove permanently.
Other References
Symantec: http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
Lee Drake
Posts:238
|
| 08/12/2003 2:24 PM |
|
| Additional Info
Information developing on the Blaster.w32 worm indicates that on the 15th it will launch a denial of service attack on windowsupdate.microsoft.com site. This, once it triggers, will make it difficult or impossible to contact the site to update your software and get the patch - so please download the patch SOONER rather than later.
The site to obtain the patch from Microsoft - outside the windowsupdate.microsoft.com method should it be blocked - is at:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp
|
|
|
|
|
Lee Drake
Posts:238
|
| 08/12/2003 2:27 PM |
|
I've gotten several calls on what exact steps to take to clean the new MS Blaster worm. Here's a helpful set of links and steps:
Here's a good technical description of what the virus does (and how it spreads):
http://www.eeye.com/html/Research/Advisories/AL20030811.html
Here's the cleaner tool download page from Symantec:
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
http://securityresponse.symantec.com/avcenter/FixBlast.exe
Here's the download page for the Microsoft patch (Download may be VERY SLOW! - be patient, all the folks who didn't patch before the worm are trying to download this patch):
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp
It's important to note that JUST CLEANING THE WORM will not fix the problem - you must clean the worm AND APPLY THE PATCH in order to prevent reinfection. You don't get this worm from an email or anything someone sent you - it's on the internet CONSTANTLY SCANNING for new machines to infect. Cleaning it will only get rid of it temporarily.
Note that after August 17th the virus will perform a denial of service on Microsoft's windowsupdate site. When that happens it could become nearly impossible to get the patch through windowsupdate.
Basic steps:- Download the patch and the cleaner tool to your machine (make sure to get the one for the correct operating system), or to another uninfected machine and transfer them to the infected machine. If you don't already have them, download MBSA or HFNETCHK to your machine as well.
- Disconnect from the network (unplugging the cable from the back of the machine works fine here)
- Run the cleaner tool
- Run the patch
- Reboot your machine
- Double check using Microsoft Baseline Security Analyzer or HFNETCHK Pro that your machine is safely patched
- Reconnect to the network (plug the cable back in)
- While you're at it - patch up any other security concerns or critical updates you might need through windowsupdate.
If you are infected - seriously consider getting either a hardware or software firewall in addition to this patch. You can obtain ZoneAlarm personal version free from http://www.zonealarm.com. For home users the linksys BEFSR41 is a reasonably priced, easy to configure hardware firewall.
Hope this helps,
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St. Ste B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
Cell number: 585-509-0284
|
|
|
|
|
Lee Drake
Posts:238
|
| 08/12/2003 4:27 PM |
|
| Other names for the virus include SanLove, sanlove, lovsan, sanlov. |
|
|
|
|
EldAztek
Posts:0
|
| 08/14/2003 6:08 AM |
|
| Over the last couple of days, we have received reports of difficulty obtaining the critical update to close the hole used by the Blaster worm to set up its planned take-down of the Microsoft Windows Update Web site, we have created an emergency download page containing the patches for all affected versions of Microsoft Windows, along with the step by step instructions that I put together for my mother.
The page is at http://www.p6c.com/BLASTER/ and it will remain up for as long as we deem necessary. Please feel free to use this page promptly if you have not updated. You are welcome to share this message with others who may be experiencing difficulty.
David Gray
P6 Consulting
V: +1 (972) 751-0254
TZ: USA Central, GMT -5
E: mailto:dagray@p6c.com
W: http://www.p6c.com
VirusWarning Mailing List Info: http://www.leedrake.com/virus_notification.htm |
|
|
|
|
EldAztek
Posts:0
|
| 08/14/2003 6:15 AM |
|
| Additional Info on Blaster
According to Symantec the worm now takes an average of 20 minutes to infect (or reinfect) an exposed machine - we've seen the same anecdotally in the field. We've had AOL users, and dialup users all report infections. Also, we've had a number of people asking us about Win95/Win98/WinME machines. To date there have been no recorded infections of these machines. The interface that the worm uses (DCOM RPC) is not present in Win9x machines - so for once they're actually more secure than the more recently released operating systems, at least as far as this particular worm. |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|