Hey David, I feel your pain about the debate to stay current or not when it comes to windows.
If you stay current, you stay a step ahead of the hackers, but you also get very bleeding edge things sometimes and as a result get a whole slew of new problems. For instance, quite a few people i know have patched their computer against the worm with the newest updates from MS. A significant portion (about 1/3) of the people that did this have various problems with their computers now that didnt exist before (and they werent infected with the virus). So what can you do? Im really not sure... the virus itself says amongst the binary code somewhere something along the lines of "bill gates, why do you let this happen, stop making money and fix your software". Ironic isnt it (or fitting?) that the patches they put out for the virus can cause problems worse than the virus itself. I guess its like iccarus where you want to stay current but you want to see what happens to other people with the latest patches before you get it. fly too high and melt your wings, fly too low and get swallowed in the sea of hackers and viruses! (: ----- Original Message ----- From: "David M. Blocker" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 5:08 PM Subject: [RBASE-L] - Re: New Worm > May I get some clarification here? > > Several months ago there were many many warnings on this site that it was > NOT a good idea to automatically use all the updates Microsoft sent out for > XP computers. This advice was emphatic and came from MANY of you. As a > result I have NOT EVER gone to MS site to get updates. > > NOW I'm hearing - keep current! Get all the updates!! > > Can someone please tell me: > > 1. In plain english, yes or no: the updates are a good idea? Or is it not > that simple? And if not, what to do? > > 2. The specific steps - website address / options on that screen to pick, > steps to follow - to protect against this worm. > > The Norton site on this stinks - it gives highly technical steps to follow > to block the invasion (e.g. "Block these ports") without any specific > directions on how to do it. > > I've yet to see a straightforward, Razzak style > > Step 1 > Step 2 > > etc. description of what to do! > > Any help out there? > > David Blocker > > ----- Original Message ----- > From: "Ben Johansen" <[EMAIL PROTECTED]> > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > Sent: Wednesday, August 13, 2003 2:24 PM > Subject: [RBASE-L] - Re: New Worm > > > > I agree, > > > > MS had a patch out for this worm 3 weeks ago. Just once a week go to > > windows update. > > > > I would do it before August 16th because this worm is set to launch a > > DDOS attack on the windows update site then ;-) > > > > Ben Johansen - http://www.pcforge.com > > Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm > > Authorized MDaemon Mail Server Reseller > > http://www.pcforge.com/AltN.htm > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. > > Stephen Wills > > Sent: Wednesday, August 13, 2003 11:09 AM > > To: RBASE-L Mailing List > > Subject: [RBASE-L] - Re: New Worm > > > > As some have said, and I would re-iterate, everyone please apply ALL the > > necessary patches/updates fm Microsoft as it appears, TTBOMK, that > > simply > > removing the offending virus is not (necessarily) a preventive measure. > > That is, a system will still be vulnerable, anti-virus code > > notwithstanding, > > to such attacks if its O/S is not also made current. > > > > My $0.02, > > Steve in Memphis > > > > ----- Original Message ----- > > From: "Ben Johansen" <[EMAIL PROTECTED]> > > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > Sent: Wednesday, August 13, 2003 12:33 PM > > Subject: [RBASE-L] - Re: New Worm > > > > > > > Hi, > > > > > > The people that fight these viruses are like bloodhounds. Once one of > > > the big virus fighting labs catches wind of the virus, all of the > > major > > > players are notified. > > > > > > They go so far as to take a computer reformat it to a generic/standard > > > setup un-infected and then infect it with the one virus and then the > > go > > > in and log all the changes (registry, new files, check sum on existing > > > files) > > > > > > With the number of Eye looking, it is practically impossible for any > > > remnants of the virus or another virus to be left once you have run > > one > > > of the cleaners from the various labs. > > > > > > So, once it is clean, it is Clean > > > > > > Ben Johansen - http://www.pcforge.com > > > Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm > > > Authorized MDaemon Mail Server Reseller > > > http://www.pcforge.com/AltN.htm > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis > > > Fleming > > > Sent: Wednesday, August 13, 2003 6:38 AM > > > To: RBASE-L Mailing List > > > Subject: [RBASE-L] - Re: New Worm > > > > > > Thanks Ben, > > > > > > Some of my customers have asked if after they have loaded the Windows > > > patch, and virus updates, and their PC is "OK", if there could still > > be > > > any > > > residual damage, time released viruses, etc. > > > > > > I said probably not, but once a virus has invaded your PC, you really > > > don't > > > know. > > > > > > Dennis > > > ***** > > > > > > > > > At 12:43 AM 8/13/2003 -0700, you wrote: > > > >Hi, > > > > > > > >>(I'm convinced my ISP wasn't clean.) > > > >I don't think this is the case, upon reading about the worm, you will > > > find > > > >out that the worm takes an infected system and starts looking for ip > > > address > > > >with the ports open and not patched with the MS patch. > > > >So it could have been any of the hijacked computers just coming at > > you > > > over > > > >the internet. Now it still could be you ISP but you would have to > > look > > > in > > > >log files (if on a server) to see. > > > > > > > >Workstations can be infected by this also > > > > > > > > > > > >Details of this virus can be found here: > > > >http://www.viruslist.com/eng/viruslist.html?id=61577 > > > > > > > >Summary of what it does: > > > >http://www.kaspersky.com/news.html?id=985139 > > > > > > > >Ben Johansen - http://www.pcforge.com > > > >-Authorized WiTango Reseller > > > > http://www.pcforge.com/WitangoGoodies.htm > > > >-Authorized Alt-N Reseller > > > > http://www.pcforge.com/AltN.htm > > > > > > > >-----Original Message----- > > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis > > > >Fleming > > > >Sent: Tuesday, August 12, 2003 6:38 PM > > > >To: RBASE-L Mailing List > > > >Subject: [RBASE-L] - Re: New Worm > > > > > > > > > > > >For anyone else experiencing the joys of the world of computing... > > > > > > > >The problem I had was Norton removed W32.Blaster.worm, but then it > > kept > > > >coming back until I finally loaded the Windows XP patch. (I'm > > convinced > > > my > > > >ISP wasn't clean.) > > > > > > > >The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE > > > > > > > >My lesson today: It's not enough just keeping your virus definitions > > up > > > to > > > >date. You need to check on the critical Windows updates too. > > > > > > > >Dennis > > > >***** > > > > > > > > > > > >At 12:46 PM 8/1/2003 -0700, you wrote: > > > >>I had it on four of my computers here. I do not know how it came in > > > yet. > > > >> > > > >>I went to the symantec website. They have a removal tool for it. > > > Really > > > >easy > > > >>to remove. > > > >> > > > >>Dan > > > >> > > > >>-----Original Message----- > > > >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > Dennis > > > >>Fleming > > > >>Sent: Tuesday, August 12, 2003 10:42 AM > > > >>To: RBASE-L Mailing List > > > >>Subject: [RBASE-L] - Re: New Worm > > > >> > > > >> > > > >>What was the probable source of this worm? (i.e., why didn't my ISP > > > pick it > > > >>up?) > > > >> > > > >>What a pain! I would love to be in a locked room with all the worms > > > who > > > >>write worms and viruses for just a day. > > > >> > > > >>Thanks for the heads-up, > > > >> > > > >>Dennis > > > >> > > > >> > > > >>At 11:00 PM 8/11/2003 -0400, you wrote: > > > >>>Buddy, > > > >>>It's called W32.Blaster.worm > > > >>>The symptom is, it will perform a shutdown as soon as you boot up, > > it > > > >>>generously gives you a minute to close any open processes. > > > >>>You have to reboot in safe mode with networking to do the > > following. > > > >>> > > > >>>I got it. Now it's gone, took me several hours. > > > >>> > > > >>>If using NAV goto www.sarc.com for instructions > > > >>>Basically do regedit, find msblast.exe and delete it. > > > >>>In XP Pro run task mgr and if cmd.exe is running, highlight it and > > > click > > > >>>end process > > > >>> > > > >>>Before doing all this you should set system restore off, so what U > > R > > > doing > > > >>>doesn't get registered in case you have to roll back. > > > >>>Then go to > > > >http://securityresponse.symantec.com/avcenter/defs.download.html > > > >>>This will download the urgent visrus defs. The live update is only > > > updated > > > >>>each Wednesday, this site has the downloads for virus's found > > > immediately. > > > >>> > > > >>>Good Luck > > > >>>----- Original Message ----- > > > >>>From: "Walker, Buddy" <[EMAIL PROTECTED]> > > > >>>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > > >>>Sent: Monday, August 11, 2003 7:12 PM > > > >>>Subject: [RBASE-L] - New Worm > > > >>> > > > >>> > > > >>> > > > >>> > > > >>>You may want to take a look at this URL: > > > >>>http://isc.sans.org/diary.html?date=2003-08-11 > > > >>> > > > >>>It's a new RPC worm that is going around. If one of your client > > > machines > > > >>>has it, it may be spread it to the server. > > > >>> > > > >>>Buddy > > > >>> > > > >>> > > > >>> > > > >>Dennis Fleming > > > >>IISCO > > > >>http://www.TheBestCMMS.com > > > >>Phone: 570 775-7593 > > > >>Fax: 570 775-9797 > > > >> > > > >> > > > >> > > > >Dennis Fleming > > > >IISCO > > > >http://www.TheBestCMMS.com > > > >Phone: 570 775-7593 > > > >Fax: 570 775-9797 > > > > > > > > > > > > > > > Dennis Fleming > > > IISCO > > > http://www.TheBestCMMS.com > > > Phone: 570 775-7593 > > > Fax: 570 775-9797 > > > > > > > > >
