Thank you Claudine!! David
----- Original Message ----- From: "Claudine Robbins" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 10:24 PM Subject: [RBASE-L] - Re: New Worm > David, > > I manually check for updates every week or so on all servers and > workstations. > > Start/Windows Update on WIN98SE and WIN2K > Launch Internet Explorer/tools/windows update on WINNT > > Once on the MS website, it's Product Updates and download critical > updates. Most updates require a restart. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David M. > Blocker > Sent: Wednesday, August 13, 2003 8:35 PM > To: RBASE-L Mailing List > Subject: [RBASE-L] - Re: New Worm > > Thank you Jeff > > Can you give more detailed directions? > > Web site? > Option to select? > > David > > ----- Original Message ----- > From: "Jeff Ward" <[EMAIL PROTECTED]> > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > Sent: Wednesday, August 13, 2003 8:41 PM > Subject: [RBASE-L] - Re: New Worm > > > > David, > > > > I always download the security update patches. > > > > Jeff > > > > > > >Thanks Atrix > > > > > >Well, I guess there is no straight answer, huh? > > > > > >Any body else care to kick in with any specific steps they can > recommend? > > > > > >David Blocker > > > > > >----- Original Message ----- > > >From: "Atrix Wolfe" <[EMAIL PROTECTED]> > > >To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > >Sent: Wednesday, August 13, 2003 8:19 PM > > >Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > Hey David, > > > > > > > > I feel your pain about the debate to stay current or not when it > comes > to > > > > windows. > > > > > > > > If you stay current, you stay a step ahead of the hackers, but you > also > > >get > > > > very bleeding edge things sometimes and as a result get a whole > slew > of > > >new > > > > problems. > > > > > > > > For instance, quite a few people i know have patched their > computer > > >against > > > > the worm with the newest updates from MS. > > > > > > > > A significant portion (about 1/3) of the people that did this have > various > > > > problems with their computers now that didnt exist before (and > they > werent > > > > infected with the virus). > > > > > > > > So what can you do? Im really not sure... > > > > > > > > the virus itself says amongst the binary code somewhere something > along > > >the > > > > lines of "bill gates, why do you let this happen, stop making > money > and > > >fix > > > > your software". > > > > > > > > Ironic isnt it (or fitting?) that the patches they put out for the > virus > > >can > > > > cause problems worse than the virus itself. > > > > > > > > I guess its like iccarus where you want to stay current but you > want > to > > >see > > > > what happens to other people with the latest patches before you > get > it. > > >fly > > > > too high and melt your wings, fly too low and get swallowed in the > sea > of > > > > hackers and viruses! (: > > > > > > > > ----- Original Message ----- > > > > From: "David M. Blocker" <[EMAIL PROTECTED]> > > > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > Sent: Wednesday, August 13, 2003 5:08 PM > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > May I get some clarification here? > > > > > > > > > > Several months ago there were many many warnings on this site > that > it > > >was > > > > > NOT a good idea to automatically use all the updates Microsoft > sent > out > > > > for > > > > > XP computers. This advice was emphatic and came from MANY of > you. > As a > > > > > result I have NOT EVER gone to MS site to get updates. > > > > > > > > > > NOW I'm hearing - keep current! Get all the updates!! > > > > > > > > > > Can someone please tell me: > > > > > > > > > > 1. In plain english, yes or no: the updates are a good idea? Or > is > it > > >not > > > > > that simple? And if not, what to do? > > > > > > > > > > 2. The specific steps - website address / options on that > screen to > > >pick, > > > > > steps to follow - to protect against this worm. > > > > > > > > > > The Norton site on this stinks - it gives highly technical steps > to > > >follow > > > > > to block the invasion (e.g. "Block these ports") without any > specific > > > > > directions on how to do it. > > > > > > > > > > I've yet to see a straightforward, Razzak style > > > > > > > > > > Step 1 > > > > > Step 2 > > > > > > > > > > etc. description of what to do! > > > > > > > > > > Any help out there? > > > > > > > > > > David Blocker > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ben Johansen" <[EMAIL PROTECTED]> > > > > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > > Sent: Wednesday, August 13, 2003 2:24 PM > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > > > > I agree, > > > > > > > > > > > > MS had a patch out for this worm 3 weeks ago. Just once a week > go > to > > > > > > windows update. > > > > > > > > > > > > I would do it before August 16th because this worm is set to > launch a > > > > > > DDOS attack on the windows update site then ;-) > > > > > > > > > > > > Ben Johansen - http://www.pcforge.com > > > > > > Authorized Witango Reseller > http://www.pcforge.com/WitangoGoodies.htm > > > > > > Authorized MDaemon Mail Server Reseller > > > > > > http://www.pcforge.com/AltN.htm > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of J. > > > > > > Stephen Wills > > > > > > Sent: Wednesday, August 13, 2003 11:09 AM > > > > > > To: RBASE-L Mailing List > > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > As some have said, and I would re-iterate, everyone please > apply > ALL > > >the > > > > > > necessary patches/updates fm Microsoft as it appears, TTBOMK, > that > > > > > > simply > > > > > > removing the offending virus is not (necessarily) a preventive > > >measure. > > > > > > That is, a system will still be vulnerable, anti-virus code > > > > > > notwithstanding, > > > > > > to such attacks if its O/S is not also made current. > > > > > > > > > > > > My $0.02, > > > > > > Steve in Memphis > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Ben Johansen" <[EMAIL PROTECTED]> > > > > > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > > > Sent: Wednesday, August 13, 2003 12:33 PM > > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > The people that fight these viruses are like bloodhounds. > Once > one > > >of > > > > > > > the big virus fighting labs catches wind of the virus, all > of > the > > > > > > major > > > > > > > players are notified. > > > > > > > > > > > > > > They go so far as to take a computer reformat it to a > > >generic/standard > > > > > > > setup un-infected and then infect it with the one virus and > then > the > > > > > > go > > > > > > > in and log all the changes (registry, new files, check sum > on > > >existing > > > > > > > files) > > > > > > > > > > > > > > With the number of Eye looking, it is practically impossible > for > any > > > > > > > remnants of the virus or another virus to be left once you > have > run > > > > > > one > > > > > > > of the cleaners from the various labs. > > > > > > > > > > > > > > So, once it is clean, it is Clean > > > > > > > > > > > > > > Ben Johansen - http://www.pcforge.com > > > > > > > Authorized Witango Reseller > > >http://www.pcforge.com/WitangoGoodies.htm > > > > > > > Authorized MDaemon Mail Server Reseller > > > > > > > http://www.pcforge.com/AltN.htm > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of > > >Dennis > > > > > > > Fleming > > > > > > > Sent: Wednesday, August 13, 2003 6:38 AM > > > > > > > To: RBASE-L Mailing List > > > > > > > Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > > Thanks Ben, > > > > > > > > > > > > > > Some of my customers have asked if after they have loaded > the > > >Windows > > > > > > > patch, and virus updates, and their PC is "OK", if there > could > still > > > > > > be > > > > > > > any > > > > > > > residual damage, time released viruses, etc. > > > > > > > > > > > > > > I said probably not, but once a virus has invaded your PC, > you > > >really > > > > > > > don't > > > > > > > know. > > > > > > > > > > > > > > Dennis > > > > > > > ***** > > > > > > > > > > > > > > > > > > > > > At 12:43 AM 8/13/2003 -0700, you wrote: > > > > > > > >Hi, > > > > > > > > > > > > > > > >>(I'm convinced my ISP wasn't clean.) > > > > > > > >I don't think this is the case, upon reading about the > worm, > you > > >will > > > > > > > find > > > > > > > >out that the worm takes an infected system and starts > looking > for > > >ip > > > > > > > address > > > > > > > >with the ports open and not patched with the MS patch. > > > > > > > >So it could have been any of the hijacked computers just > coming > at > > > > > > you > > > > > > > over > > > > > > > >the internet. Now it still could be you ISP but you would > have > to > > > > > > look > > > > > > > in > > > > > > > >log files (if on a server) to see. > > > > > > > > > > > > > > > >Workstations can be infected by this also > > > > > > > > > > > > > > > > > > > > > > > >Details of this virus can be found here: > > > > > > > >http://www.viruslist.com/eng/viruslist.html?id=61577 > > > > > > > > > > > > > > > >Summary of what it does: > > > > > > > >http://www.kaspersky.com/news.html?id=985139 > > > > > > > > > > > > > > > >Ben Johansen - http://www.pcforge.com > > > > > > > >-Authorized WiTango Reseller > > > > > > > > http://www.pcforge.com/WitangoGoodies.htm > > > > > > > >-Authorized Alt-N Reseller > > > > > > > > http://www.pcforge.com/AltN.htm > > > > > > > > > > > > > > > >-----Original Message----- > > > > > > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > Of > > >Dennis > > > > > > > >Fleming > > > > > > > >Sent: Tuesday, August 12, 2003 6:38 PM > > > > > > > >To: RBASE-L Mailing List > > > > > > > >Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > > > > > > > > > > > > > >For anyone else experiencing the joys of the world of > computing... > > > > > > > > > > > > > > > >The problem I had was Norton removed W32.Blaster.worm, but > then > it > > > > > > kept > > > > > > > >coming back until I finally loaded the Windows XP patch. > (I'm > > > > > > convinced > > > > > > > my > > > > > > > >ISP wasn't clean.) > > > > > > > > > > > > > > > >The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE > > > > > > > > > > > > > > > >My lesson today: It's not enough just keeping your virus > > >definitions > > > > > > up > > > > > > > to > > > > > > > >date. You need to check on the critical Windows updates > too. > > > > > > > > > > > > > > > >Dennis > > > > > > > >***** > > > > > > > > > > > > > > > > > > > > > > > >At 12:46 PM 8/1/2003 -0700, you wrote: > > > > > > > >>I had it on four of my computers here. I do not know how > it > came > > >in > > > > > > > yet. > > > > > > > >> > > > > > > > >>I went to the symantec website. They have a removal tool > for > it. > > > > > > > Really > > > > > > > >easy > > > > > > > >>to remove. > > > > > > > >> > > > > > > > >>Dan > > > > > > > >> > > > > > > > >>-----Original Message----- > > > > > > > >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of > > > > > > Dennis > > > > > > > >>Fleming > > > > > > > >>Sent: Tuesday, August 12, 2003 10:42 AM > > > > > > > >>To: RBASE-L Mailing List > > > > > > > >>Subject: [RBASE-L] - Re: New Worm > > > > > > > >> > > > > > > > >> > > > > > > > >>What was the probable source of this worm? (i.e., why > didn't > my > > >ISP > > > > > > > pick it > > > > > > > >>up?) > > > > > > > >> > > > > > > > >>What a pain! I would love to be in a locked room with all > the > > >worms > > > > > > > who > > > > > > > >>write worms and viruses for just a day. > > > > > > > >> > > > > > > > >>Thanks for the heads-up, > > > > > > > >> > > > > > > > >>Dennis > > > > > > > >> > > > > > > > >> > > > > > > > >>At 11:00 PM 8/11/2003 -0400, you wrote: > > > > > > > >>>Buddy, > > > > > > > >>>It's called W32.Blaster.worm > > > > > > > >>>The symptom is, it will perform a shutdown as soon as you > boot > > >up, > > > > > > it > > > > > > > >>>generously gives you a minute to close any open > processes. > > > > > > > >>>You have to reboot in safe mode with networking to do the > > > > > > following. > > > > > > > >>> > > > > > > > >>>I got it. Now it's gone, took me several hours. > > > > > > > >>> > > > > > > > >>>If using NAV goto www.sarc.com for instructions > > > > > > > >>>Basically do regedit, find msblast.exe and delete it. > > > > > > > >>>In XP Pro run task mgr and if cmd.exe is running, > highlight > it > > >and > > > > > > > click > > > > > > > >>>end process > > > > > > > >>> > > > > > > > >>>Before doing all this you should set system restore off, > so > what > > >U > > > > > > R > > > > > > > doing > > > > > > > >>>doesn't get registered in case you have to roll back. > > > > > > > >>>Then go to > > > > > > > > >http://securityresponse.symantec.com/avcenter/defs.download.html > > > > > > > >>>This will download the urgent visrus defs. The live > update is > > >only > > > > > > > updated > > > > > > > >>>each Wednesday, this site has the downloads for virus's > found > > > > > > > immediately. > > > > > > > >>> > > > > > > > >>>Good Luck > > > > > > > >>>----- Original Message ----- > > > > > > > >>>From: "Walker, Buddy" <[EMAIL PROTECTED]> > > > > > > > >>>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > > > > > >>>Sent: Monday, August 11, 2003 7:12 PM > > > > > > > >>>Subject: [RBASE-L] - New Worm > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> > > > > > > > >>>You may want to take a look at this URL: > > > > > > > >>>http://isc.sans.org/diary.html?date=2003-08-11 > > > > > > > >>> > > > > > > > >>>It's a new RPC worm that is going around. If one of your > client > > > > > > > machines > > > > > > > >>>has it, it may be spread it to the server. > > > > > > > >>> > > > > > > > >>>Buddy > > > > > > > >>> > > > > > > > >>> > > > > > > > >>> > > > > > > > >>Dennis Fleming > > > > > > > >>IISCO > > > > > > > >>http://www.TheBestCMMS.com > > > > > > > >>Phone: 570 775-7593 > > > > > > > >>Fax: 570 775-9797 > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >Dennis Fleming > > > > > > > >IISCO > > > > > > > >http://www.TheBestCMMS.com > > > > > > > >Phone: 570 775-7593 > > > > > > > >Fax: 570 775-9797 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Dennis Fleming > > > > > > > IISCO > > > > > > > http://www.TheBestCMMS.com > > > > > > > Phone: 570 775-7593 > > > > > > > Fax: 570 775-9797 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
