Charles, Our remote satellite sites were hit and infected 3/7 (broadband satellite), Internally no problems. Info @: Trend describes best way to do a manual removal.
Easy Way: If you were infected and PC keeps restarting goto Services-Remote Procedure Call (RPC). Right Mouse Click goto Properties, goto Recovery tab and choose Take No Action for all three options, hit Apply. This will give you enough time to apply Microsoft patch Goto Task Manager-Processes tab. End MBLAST.exe process/task dependant on OS. Goto Regedit32.exe HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run. In the right panel, locate and delete the entry: "windows auto update" = MSBLAST.EXE Update virus defs and do a full system scan. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST .A http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html Patch, choose OS, @: http://support.microsoft.com/?kbid=823980 Hope that no one is affected too badly by this one. James -----Original Message----- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Tuesday, 12 August 2003 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) I've been getting hammered on this one myself... My firewall logs are packed with hits to ports 135 and 445. Charles -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, August 11, 2003 19:41 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
