In addition to the measures: (you could download the removal tool from Symantec as it's a whole lot simpler)
1. As soon as you get into windows, go to task manager and end process on msblast.exe 2. Run regedit and remove the key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe 3. Search for msblast.exe on the system drive and delete any copy that is found. 4. Disconnect any connection to the internet or to the network. 5. Reboot the computer. You need to download the Windows update (only affects W2k, XP, Win2003) from MS (see bulletin MS03-026) before running the above. Does not affect Linux, Mac, OS/2 (really!:), UNIX according to Symantec so not a prob at all for RAQs Jon Grey Davies Jon Grey Davies -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 12 August 2003 20:00 To: [EMAIL PROTECTED] Subject: cobalt-security digest, Vol 1 #1244 - 10 msgs Send cobalt-security mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://list.cobalt.com/mailman/listinfo/cobalt-security or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of cobalt-security digest..." Today's Topics: 1. test for echo (Jaana Jarve) 2. W32/Lovsan.worm Attacking Port 135 (Rex Gaylord) 3. RE: W32/Lovsan.worm Attacking Port 135 (Graeme Fowler) 4. W32/Lovsan.worm Attacking Port 135 (Rex Gaylord) 5. Re: test for echo (David Black) 6. Re: W32/Lovsan.worm Attacking Port 135 (Jaana Jarve) 7. Re: test for echo (Robbert Hamburg (HaVa Web- & Procesdesign)) 8. RE: test for echo (Bob Noordam) 9. php upload_tmp_dir & sanity (Jaana Jarve) 10. Re: test for echo (Greg Boehnlein) --__--__-- Message: 1 Date: Tue, 12 Aug 2003 20:07:32 +0300 (EEST) From: Jaana Jarve <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [cobalt-security] test for echo Reply-To: [EMAIL PROTECTED] hi.. is this list still working? half a month of nothing makes one wonder. rgds, netcat --__--__-- Message: 2 Date: Tue, 12 Aug 2003 10:21:53 -0700 From: "Rex Gaylord" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: [cobalt-security] W32/Lovsan.worm Attacking Port 135 Reply-To: [EMAIL PROTECTED] Is anybody else getting attacks on Port 135 that is related to this new virus and do you know if we are vulnerable. It looks like it only infects windows machines to me so far? Thanks, Rex Gaylord ============================ A NEW VIRUS HAS BEEN DETECTED, NAMED W32/Lovsan.worm Symptoms of Infection : - Presence of unusual TFTP* files - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory - Error messages about the RPC service failing (causes system to reboot) This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. A definition file will be sent to me from our virus lab in about 2 hours. Please go to ftp://65.3.178.52 at around 5:15pm PDT. After downloading it, extract it to a folder, such as PANDA, and then update from the program with the update source pointing to the folder you extracted the signature file to. In the meantime, here is a manual solution for it in case you did get in case you already got infect: 1. As soon as you get into windows, go to task manager and end process on msblast.exe 2. Run regedit and remove the key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe 3. Search for msblast.exe on the system drive and delete any copy that is found. 4. Disconnect any connection to the internet or to the network. 5. Reboot the computer. Steve Demogines, Director Panda Software Technical Support [EMAIL PROTECTED] 818-543-6901 This e-mail message is virus free, having been scanned and cleaned by Panda Software, the leading international antivirus company declared "The Undisputed Champ" by PC World Magazine! For more information, go to: www.pandasoftware.com --__--__-- Message: 3 Subject: RE: [cobalt-security] W32/Lovsan.worm Attacking Port 135 Date: Tue, 12 Aug 2003 18:44:55 +0100 From: "Graeme Fowler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] On 12 August 2003 18:22, Rex Gaylord wrote: > Is anybody else getting attacks on Port 135 that is related to this > new virus and do you know if we are vulnerable. It looks like it only > infects windows machines to me so far? 1. Yes 2. No [see below] 3. Indeed, it is another worm exploiting another vulnerability in the underlying Windows subsystems (this time it's the RPC subsystem, crucial to normal operation). [note] If you're running a publically-accessible Samba server (on a Qube, for example), it _might_ cause a local service DoS if it manages to make the daemon crash. It won't, however, exploit it since the hole is in Windows, not Samba, code. Graeme --__--__-- Message: 4 From: "Rex Gaylord" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Mon, 11 Aug 2003 16:07:24 -0700 Organization: CCC/America Subject: [cobalt-security] W32/Lovsan.worm Attacking Port 135 Reply-To: [EMAIL PROTECTED] Is anybody else getting attacks on Port 135 that is related to this new virus and do you know if we are vulnerable. It looks like it only infects windows machines to me so far? Thanks, Rex Gaylord ============================ A NEW VIRUS HAS BEEN DETECTED, NAMED W32/Lovsan.worm Symptoms of Infection : - Presence of unusual TFTP* files - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory - Error messages about the RPC service failing (causes system to reboot) This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. A definition file will be sent to me from our virus lab in about 2 hours. Please go to ftp://65.3.178.52 at around 5:15pm PDT. After downloading it, extract it to a folder, such as PANDA, and then update from the program with the update source pointing to the folder you extracted the signature file to. In the meantime, here is a manual solution for it in case you did get in case you already got infect: 1. As soon as you get into windows, go to task manager and end process on msblast.exe 2. Run regedit and remove the key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe 3. Search for msblast.exe on the system drive and delete any copy that is found. 4. Disconnect any connection to the internet or to the network. 5. Reboot the computer. Steve Demogines, Director Panda Software Technical Support [EMAIL PROTECTED] 818-543-6901 This e-mail message is virus free, having been scanned and cleaned by Panda Software, the leading international antivirus company declared "The Undisputed Champ" by PC World Magazine! For more information, go to: www.pandasoftware.com --__--__-- Message: 5 From: "David Black" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] test for echo Date: Tue, 12 Aug 2003 12:25:41 -0500 Reply-To: [EMAIL PROTECTED] Echo... from Houston, TX. -- David Black, Web Developer http://SiteDesignAndHosting.com Professional Web Design, Hosting, Programming, Animation and more! ----- Original Message ----- From: "Jaana Jarve" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 12, 2003 12:07 PM Subject: [cobalt-security] test for echo > > hi.. > > is this list still working? > half a month of nothing makes one wonder. > > rgds, > netcat > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > --__--__-- Message: 6 Date: Tue, 12 Aug 2003 20:42:22 +0300 (EEST) From: Jaana Jarve <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] W32/Lovsan.worm Attacking Port 135 Reply-To: [EMAIL PROTECTED] On Tue, 12 Aug 2003, Rex Gaylord wrote: > Is anybody else getting attacks on Port 135 yes. > virus and do you know if we are vulnerable. no > It looks like it only infects windows machines yes, see below > This worm spreads by exploiting a recent vulnerability in Microsoft > Windows. rgds, netcat --__--__-- Message: 7 From: "Robbert Hamburg \(HaVa Web- & Procesdesign\)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] test for echo Date: Tue, 12 Aug 2003 20:11:33 +0200 Reply-To: [EMAIL PROTECTED] ----- Original Message ----- From: "David Black" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 12, 2003 7:25 PM Subject: Re: [cobalt-security] test for echo > Echo... from Houston, TX. > > Echo from Amsterdam, NL --__--__-- Message: 8 From: "Bob Noordam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] test for echo Date: Tue, 12 Aug 2003 20:12:30 +0200 Reply-To: [EMAIL PROTECTED] > > hi.. > > is this list still working? > half a month of nothing makes one wonder. > ping ? pong ! --__--__-- Message: 9 Date: Tue, 12 Aug 2003 21:18:34 +0300 (EEST) From: Jaana Jarve <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [cobalt-security] php upload_tmp_dir & sanity Reply-To: [EMAIL PROTECTED] i'd be interested to know where raq4 owners keep their upload_tmp_dir these days. it was recently brought to my attention that the uploaded files don't get the proper site gid after being moved under site directories. since system default is to use /tmp (symlinked to /home/tmp) the group would be root. this doesn't look especially sane to me. besides obvious security concerns, users could upload to their hearts desire without it ever affecting their quota. other opinions? it looks to me the best bet is to set ./tmp in php.ini. does that have any negative sides to it? rgds, netcat --__--__-- Message: 10 Date: Tue, 12 Aug 2003 14:36:08 -0400 (EDT) From: Greg Boehnlein <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] test for echo Reply-To: [EMAIL PROTECTED] On Tue, 12 Aug 2003, David Black wrote: > Echo... from Houston, TX. > > -- > David Black, Web Developer > http://SiteDesignAndHosting.com > Professional Web Design, Hosting, > Programming, Animation and more! Ping response from Cleveland, Ohio. > ----- Original Message ----- > From: "Jaana Jarve" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, August 12, 2003 12:07 PM > Subject: [cobalt-security] test for echo > > > > > > hi.. > > > > is this list still working? > > half a month of nothing makes one wonder. > > > > rgds, > > netcat > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST --__--__-- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
