As some have said, and I would re-iterate, everyone please apply ALL the necessary patches/updates fm Microsoft as it appears, TTBOMK, that simply removing the offending virus is not (necessarily) a preventive measure. That is, a system will still be vulnerable, anti-virus code notwithstanding, to such attacks if its O/S is not also made current.
My $0.02, Steve in Memphis ----- Original Message ----- From: "Ben Johansen" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 12:33 PM Subject: [RBASE-L] - Re: New Worm > Hi, > > The people that fight these viruses are like bloodhounds. Once one of > the big virus fighting labs catches wind of the virus, all of the major > players are notified. > > They go so far as to take a computer reformat it to a generic/standard > setup un-infected and then infect it with the one virus and then the go > in and log all the changes (registry, new files, check sum on existing > files) > > With the number of Eye looking, it is practically impossible for any > remnants of the virus or another virus to be left once you have run one > of the cleaners from the various labs. > > So, once it is clean, it is Clean > > Ben Johansen - http://www.pcforge.com > Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm > Authorized MDaemon Mail Server Reseller > http://www.pcforge.com/AltN.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis > Fleming > Sent: Wednesday, August 13, 2003 6:38 AM > To: RBASE-L Mailing List > Subject: [RBASE-L] - Re: New Worm > > Thanks Ben, > > Some of my customers have asked if after they have loaded the Windows > patch, and virus updates, and their PC is "OK", if there could still be > any > residual damage, time released viruses, etc. > > I said probably not, but once a virus has invaded your PC, you really > don't > know. > > Dennis > ***** > > > At 12:43 AM 8/13/2003 -0700, you wrote: > >Hi, > > > >>(I'm convinced my ISP wasn't clean.) > >I don't think this is the case, upon reading about the worm, you will > find > >out that the worm takes an infected system and starts looking for ip > address > >with the ports open and not patched with the MS patch. > >So it could have been any of the hijacked computers just coming at you > over > >the internet. Now it still could be you ISP but you would have to look > in > >log files (if on a server) to see. > > > >Workstations can be infected by this also > > > > > >Details of this virus can be found here: > >http://www.viruslist.com/eng/viruslist.html?id=61577 > > > >Summary of what it does: > >http://www.kaspersky.com/news.html?id=985139 > > > >Ben Johansen - http://www.pcforge.com > >-Authorized WiTango Reseller > > http://www.pcforge.com/WitangoGoodies.htm > >-Authorized Alt-N Reseller > > http://www.pcforge.com/AltN.htm > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis > >Fleming > >Sent: Tuesday, August 12, 2003 6:38 PM > >To: RBASE-L Mailing List > >Subject: [RBASE-L] - Re: New Worm > > > > > >For anyone else experiencing the joys of the world of computing... > > > >The problem I had was Norton removed W32.Blaster.worm, but then it kept > >coming back until I finally loaded the Windows XP patch. (I'm convinced > my > >ISP wasn't clean.) > > > >The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE > > > >My lesson today: It's not enough just keeping your virus definitions up > to > >date. You need to check on the critical Windows updates too. > > > >Dennis > >***** > > > > > >At 12:46 PM 8/1/2003 -0700, you wrote: > >>I had it on four of my computers here. I do not know how it came in > yet. > >> > >>I went to the symantec website. They have a removal tool for it. > Really > >easy > >>to remove. > >> > >>Dan > >> > >>-----Original Message----- > >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis > >>Fleming > >>Sent: Tuesday, August 12, 2003 10:42 AM > >>To: RBASE-L Mailing List > >>Subject: [RBASE-L] - Re: New Worm > >> > >> > >>What was the probable source of this worm? (i.e., why didn't my ISP > pick it > >>up?) > >> > >>What a pain! I would love to be in a locked room with all the worms > who > >>write worms and viruses for just a day. > >> > >>Thanks for the heads-up, > >> > >>Dennis > >> > >> > >>At 11:00 PM 8/11/2003 -0400, you wrote: > >>>Buddy, > >>>It's called W32.Blaster.worm > >>>The symptom is, it will perform a shutdown as soon as you boot up, it > >>>generously gives you a minute to close any open processes. > >>>You have to reboot in safe mode with networking to do the following. > >>> > >>>I got it. Now it's gone, took me several hours. > >>> > >>>If using NAV goto www.sarc.com for instructions > >>>Basically do regedit, find msblast.exe and delete it. > >>>In XP Pro run task mgr and if cmd.exe is running, highlight it and > click > >>>end process > >>> > >>>Before doing all this you should set system restore off, so what U R > doing > >>>doesn't get registered in case you have to roll back. > >>>Then go to > >http://securityresponse.symantec.com/avcenter/defs.download.html > >>>This will download the urgent visrus defs. The live update is only > updated > >>>each Wednesday, this site has the downloads for virus's found > immediately. > >>> > >>>Good Luck > >>>----- Original Message ----- > >>>From: "Walker, Buddy" <[EMAIL PROTECTED]> > >>>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > >>>Sent: Monday, August 11, 2003 7:12 PM > >>>Subject: [RBASE-L] - New Worm > >>> > >>> > >>> > >>> > >>>You may want to take a look at this URL: > >>>http://isc.sans.org/diary.html?date=2003-08-11 > >>> > >>>It's a new RPC worm that is going around. If one of your client > machines > >>>has it, it may be spread it to the server. > >>> > >>>Buddy > >>> > >>> > >>> > >>Dennis Fleming > >>IISCO > >>http://www.TheBestCMMS.com > >>Phone: 570 775-7593 > >>Fax: 570 775-9797 > >> > >> > >> > >Dennis Fleming > >IISCO > >http://www.TheBestCMMS.com > >Phone: 570 775-7593 > >Fax: 570 775-9797 > > > > > > > Dennis Fleming > IISCO > http://www.TheBestCMMS.com > Phone: 570 775-7593 > Fax: 570 775-9797 >
