Now THAT's what I call clear directions. Thanks Frank! David
----- Original Message ----- From: "Betaserver" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Thursday, August 14, 2003 10:19 AM Subject: [RBASE-L] - Re: New Worm David, 1. Turn off AUTOUPDATES on your machine 2. *** BEFORE GOING TO THE UPDATE SITE -- CREATE A NEW ERD (emergency repair disk) Start - Programs - Accessories - System Tools - Backup (select the ERD option and also check the back up registry box) 3. On Win2K and XP machines you can either go - Start - WindowsUpdate (or XP STart- All Programs - windows Update (or you can open I.Explorer and goto www.technet.com) Allow the system to scan for updates, then carefully pick and choose your updates, read what they do and how they might apply to your machine. This gives you more control over the updates.. and makes it easier to roll back something if your machine stops working, unlike autoupdates where you dont know when or what was done to your machine... but YES you do want to stay current as much as you can with the patches and Service packs. -- Frank Conroy, Systems Network Administrator -- F.J. O'Hara Corp, Boston, MA -- [EMAIL PROTECTED] - 617-790-3093 -----Original Message----- From: David M. Blocker [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 9:35 PM To: RBASE-L Mailing List Subject: [RBASE-L] - Re: New Worm Thank you Jeff Can you give more detailed directions? Web site? Option to select? David ----- Original Message ----- From: "Jeff Ward" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 8:41 PM Subject: [RBASE-L] - Re: New Worm > David, > > I always download the security update patches. > > Jeff > > > >Thanks Atrix > > > >Well, I guess there is no straight answer, huh? > > > >Any body else care to kick in with any specific steps they can recommend? > > > >David Blocker > > > >----- Original Message ----- > >From: "Atrix Wolfe" <[EMAIL PROTECTED]> > >To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > >Sent: Wednesday, August 13, 2003 8:19 PM > >Subject: [RBASE-L] - Re: New Worm > > > > > > > Hey David, > > > > > > I feel your pain about the debate to stay current or not when it comes to > > > windows. > > > > > > If you stay current, you stay a step ahead of the hackers, but you also > >get > > > very bleeding edge things sometimes and as a result get a whole slew of > >new > > > problems. > > > > > > For instance, quite a few people i know have patched their computer > >against > > > the worm with the newest updates from MS. > > > > > > A significant portion (about 1/3) of the people that did this have various > > > problems with their computers now that didnt exist before (and they werent > > > infected with the virus). > > > > > > So what can you do? Im really not sure... > > > > > > the virus itself says amongst the binary code somewhere something along > >the > > > lines of "bill gates, why do you let this happen, stop making money and > >fix > > > your software". > > > > > > Ironic isnt it (or fitting?) that the patches they put out for the virus > >can > > > cause problems worse than the virus itself. > > > > > > I guess its like iccarus where you want to stay current but you want to > >see > > > what happens to other people with the latest patches before you get it. > >fly > > > too high and melt your wings, fly too low and get swallowed in the sea of > > > hackers and viruses! (: > > > > > > ----- Original Message ----- > > > From: "David M. Blocker" <[EMAIL PROTECTED]> > > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > Sent: Wednesday, August 13, 2003 5:08 PM > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > May I get some clarification here? > > > > > > > > Several months ago there were many many warnings on this site that it > >was > > > > NOT a good idea to automatically use all the updates Microsoft sent out > > > for > > > > XP computers. This advice was emphatic and came from MANY of you. As a > > > > result I have NOT EVER gone to MS site to get updates. > > > > > > > > NOW I'm hearing - keep current! Get all the updates!! > > > > > > > > Can someone please tell me: > > > > > > > > 1. In plain english, yes or no: the updates are a good idea? Or is it > >not > > > > that simple? And if not, what to do? > > > > > > > > 2. The specific steps - website address / options on that screen to > >pick, > > > > steps to follow - to protect against this worm. > > > > > > > > The Norton site on this stinks - it gives highly technical steps to > >follow > > > > to block the invasion (e.g. "Block these ports") without any specific > > > > directions on how to do it. > > > > > > > > I've yet to see a straightforward, Razzak style > > > > > > > > Step 1 > > > > Step 2 > > > > > > > > etc. description of what to do! > > > > > > > > Any help out there? > > > > > > > > David Blocker > > > > > > > > ----- Original Message ----- > > > > From: "Ben Johansen" <[EMAIL PROTECTED]> > > > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > Sent: Wednesday, August 13, 2003 2:24 PM > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > I agree, > > > > > > > > > > MS had a patch out for this worm 3 weeks ago. Just once a week go to > > > > > windows update. > > > > > > > > > > I would do it before August 16th because this worm is set to launch a > > > > > DDOS attack on the windows update site then ;-) > > > > > > > > > > Ben Johansen - http://www.pcforge.com > > > > > Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm > > > > > Authorized MDaemon Mail Server Reseller > > > > > http://www.pcforge.com/AltN.htm > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. > > > > > Stephen Wills > > > > > Sent: Wednesday, August 13, 2003 11:09 AM > > > > > To: RBASE-L Mailing List > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > As some have said, and I would re-iterate, everyone please apply ALL > >the > > > > > necessary patches/updates fm Microsoft as it appears, TTBOMK, that > > > > > simply > > > > > removing the offending virus is not (necessarily) a preventive > >measure. > > > > > That is, a system will still be vulnerable, anti-virus code > > > > > notwithstanding, > > > > > to such attacks if its O/S is not also made current. > > > > > > > > > > My $0.02, > > > > > Steve in Memphis > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ben Johansen" <[EMAIL PROTECTED]> > > > > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > > Sent: Wednesday, August 13, 2003 12:33 PM > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > The people that fight these viruses are like bloodhounds. Once one > >of > > > > > > the big virus fighting labs catches wind of the virus, all of the > > > > > major > > > > > > players are notified. > > > > > > > > > > > > They go so far as to take a computer reformat it to a > >generic/standard > > > > > > setup un-infected and then infect it with the one virus and then the > > > > > go > > > > > > in and log all the changes (registry, new files, check sum on > >existing > > > > > > files) > > > > > > > > > > > > With the number of Eye looking, it is practically impossible for any > > > > > > remnants of the virus or another virus to be left once you have run > > > > > one > > > > > > of the cleaners from the various labs. > > > > > > > > > > > > So, once it is clean, it is Clean > > > > > > > > > > > > Ben Johansen - http://www.pcforge.com > > > > > > Authorized Witango Reseller > >http://www.pcforge.com/WitangoGoodies.htm > > > > > > Authorized MDaemon Mail Server Reseller > > > > > > http://www.pcforge.com/AltN.htm > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > >Dennis > > > > > > Fleming > > > > > > Sent: Wednesday, August 13, 2003 6:38 AM > > > > > > To: RBASE-L Mailing List > > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > Thanks Ben, > > > > > > > > > > > > Some of my customers have asked if after they have loaded the > >Windows > > > > > > patch, and virus updates, and their PC is "OK", if there could still > > > > > be > > > > > > any > > > > > > residual damage, time released viruses, etc. > > > > > > > > > > > > I said probably not, but once a virus has invaded your PC, you > >really > > > > > > don't > > > > > > know. > > > > > > > > > > > > Dennis > > > > > > ***** > > > > > > > > > > > > > > > > > > At 12:43 AM 8/13/2003 -0700, you wrote: > > > > > > >Hi, > > > > > > > > > > > > > >>(I'm convinced my ISP wasn't clean.) > > > > > > >I don't think this is the case, upon reading about the worm, you > >will > > > > > > find > > > > > > >out that the worm takes an infected system and starts looking for > >ip > > > > > > address > > > > > > >with the ports open and not patched with the MS patch. > > > > > > >So it could have been any of the hijacked computers just coming at > > > > > you > > > > > > over > > > > > > >the internet. Now it still could be you ISP but you would have to > > > > > look > > > > > > in > > > > > > >log files (if on a server) to see. > > > > > > > > > > > > > >Workstations can be infected by this also > > > > > > > > > > > > > > > > > > > > >Details of this virus can be found here: > > > > > > >http://www.viruslist.com/eng/viruslist.html?id=61577 > > > > > > > > > > > > > >Summary of what it does: > > > > > > >http://www.kaspersky.com/news.html?id=985139 > > > > > > > > > > > > > >Ben Johansen - http://www.pcforge.com > > > > > > >-Authorized WiTango Reseller > > > > > > > http://www.pcforge.com/WitangoGoodies.htm > > > > > > >-Authorized Alt-N Reseller > > > > > > > http://www.pcforge.com/AltN.htm > > > > > > > > > > > > > >-----Original Message----- > > > > > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > >Dennis > > > > > > >Fleming > > > > > > >Sent: Tuesday, August 12, 2003 6:38 PM > > > > > > >To: RBASE-L Mailing List > > > > > > >Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > > > > > > > > >For anyone else experiencing the joys of the world of computing... > > > > > > > > > > > > > >The problem I had was Norton removed W32.Blaster.worm, but then it > > > > > kept > > > > > > >coming back until I finally loaded the Windows XP patch. (I'm > > > > > convinced > > > > > > my > > > > > > >ISP wasn't clean.) > > > > > > > > > > > > > >The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE > > > > > > > > > > > > > >My lesson today: It's not enough just keeping your virus > >definitions > > > > > up > > > > > > to > > > > > > >date. You need to check on the critical Windows updates too. > > > > > > > > > > > > > >Dennis > > > > > > >***** > > > > > > > > > > > > > > > > > > > > >At 12:46 PM 8/1/2003 -0700, you wrote: > > > > > > >>I had it on four of my computers here. I do not know how it came > >in > > > > > > yet. > > > > > > >> > > > > > > >>I went to the symantec website. They have a removal tool for it. > > > > > > Really > > > > > > >easy > > > > > > >>to remove. > > > > > > >> > > > > > > >>Dan > > > > > > >> > > > > > > >>-----Original Message----- > > > > > > >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > > > > Dennis > > > > > > >>Fleming > > > > > > >>Sent: Tuesday, August 12, 2003 10:42 AM > > > > > > >>To: RBASE-L Mailing List > > > > > > >>Subject: [RBASE-L] - Re: New Worm > > > > > > >> > > > > > > >> > > > > > > >>What was the probable source of this worm? (i.e., why didn't my > >ISP > > > > > > pick it > > > > > > >>up?) > > > > > > >> > > > > > > >>What a pain! I would love to be in a locked room with all the > >worms > > > > > > who > > > > > > >>write worms and viruses for just a day. > > > > > > >> > > > > > > >>Thanks for the heads-up, > > > > > > >> > > > > > > >>Dennis > > > > > > >> > > > > > > >> > > > > > > >>At 11:00 PM 8/11/2003 -0400, you wrote: > > > > > > >>>Buddy, > > > > > > >>>It's called W32.Blaster.worm > > > > > > >>>The symptom is, it will perform a shutdown as soon as you boot > >up, > > > > > it > > > > > > >>>generously gives you a minute to close any open processes. > > > > > > >>>You have to reboot in safe mode with networking to do the > > > > > following. > > > > > > >>> > > > > > > >>>I got it. Now it's gone, took me several hours. > > > > > > >>> > > > > > > >>>If using NAV goto www.sarc.com for instructions > > > > > > >>>Basically do regedit, find msblast.exe and delete it. > > > > > > >>>In XP Pro run task mgr and if cmd.exe is running, highlight it > >and > > > > > > click > > > > > > >>>end process > > > > > > >>> > > > > > > >>>Before doing all this you should set system restore off, so what > >U > > > > > R > > > > > > doing > > > > > > >>>doesn't get registered in case you have to roll back. > > > > > > >>>Then go to > > > > > > >http://securityresponse.symantec.com/avcenter/defs.download.html > > > > > > >>>This will download the urgent visrus defs. The live update is > >only > > > > > > updated > > > > > > >>>each Wednesday, this site has the downloads for virus's found > > > > > > immediately. > > > > > > >>> > > > > > > >>>Good Luck > > > > > > >>>----- Original Message ----- > > > > > > >>>From: "Walker, Buddy" <[EMAIL PROTECTED]> > > > > > > >>>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > > > >>>Sent: Monday, August 11, 2003 7:12 PM > > > > > > >>>Subject: [RBASE-L] - New Worm > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>>You may want to take a look at this URL: > > > > > > >>>http://isc.sans.org/diary.html?date=2003-08-11 > > > > > > >>> > > > > > > >>>It's a new RPC worm that is going around. If one of your client > > > > > > machines > > > > > > >>>has it, it may be spread it to the server. > > > > > > >>> > > > > > > >>>Buddy > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>Dennis Fleming > > > > > > >>IISCO > > > > > > >>http://www.TheBestCMMS.com > > > > > > >>Phone: 570 775-7593 > > > > > > >>Fax: 570 775-9797 > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >Dennis Fleming > > > > > > >IISCO > > > > > > >http://www.TheBestCMMS.com > > > > > > >Phone: 570 775-7593 > > > > > > >Fax: 570 775-9797 > > > > > > > > > > > > > > > > > > > > > > > > > > > Dennis Fleming > > > > > > IISCO > > > > > > http://www.TheBestCMMS.com > > > > > > Phone: 570 775-7593 > > > > > > Fax: 570 775-9797 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
