Hi, The people that fight these viruses are like bloodhounds. Once one of the big virus fighting labs catches wind of the virus, all of the major players are notified.
They go so far as to take a computer reformat it to a generic/standard setup un-infected and then infect it with the one virus and then the go in and log all the changes (registry, new files, check sum on existing files) With the number of Eye looking, it is practically impossible for any remnants of the virus or another virus to be left once you have run one of the cleaners from the various labs. So, once it is clean, it is Clean Ben Johansen - http://www.pcforge.com Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm Authorized MDaemon Mail Server Reseller http://www.pcforge.com/AltN.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Fleming Sent: Wednesday, August 13, 2003 6:38 AM To: RBASE-L Mailing List Subject: [RBASE-L] - Re: New Worm Thanks Ben, Some of my customers have asked if after they have loaded the Windows patch, and virus updates, and their PC is "OK", if there could still be any residual damage, time released viruses, etc. I said probably not, but once a virus has invaded your PC, you really don't know. Dennis ***** At 12:43 AM 8/13/2003 -0700, you wrote: >Hi, > >>(I'm convinced my ISP wasn't clean.) >I don't think this is the case, upon reading about the worm, you will find >out that the worm takes an infected system and starts looking for ip address >with the ports open and not patched with the MS patch. >So it could have been any of the hijacked computers just coming at you over >the internet. Now it still could be you ISP but you would have to look in >log files (if on a server) to see. > >Workstations can be infected by this also > > >Details of this virus can be found here: >http://www.viruslist.com/eng/viruslist.html?id=61577 > >Summary of what it does: >http://www.kaspersky.com/news.html?id=985139 > >Ben Johansen - http://www.pcforge.com >-Authorized WiTango Reseller > http://www.pcforge.com/WitangoGoodies.htm >-Authorized Alt-N Reseller > http://www.pcforge.com/AltN.htm > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis >Fleming >Sent: Tuesday, August 12, 2003 6:38 PM >To: RBASE-L Mailing List >Subject: [RBASE-L] - Re: New Worm > > >For anyone else experiencing the joys of the world of computing... > >The problem I had was Norton removed W32.Blaster.worm, but then it kept >coming back until I finally loaded the Windows XP patch. (I'm convinced my >ISP wasn't clean.) > >The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE > >My lesson today: It's not enough just keeping your virus definitions up to >date. You need to check on the critical Windows updates too. > >Dennis >***** > > >At 12:46 PM 8/1/2003 -0700, you wrote: >>I had it on four of my computers here. I do not know how it came in yet. >> >>I went to the symantec website. They have a removal tool for it. Really >easy >>to remove. >> >>Dan >> >>-----Original Message----- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis >>Fleming >>Sent: Tuesday, August 12, 2003 10:42 AM >>To: RBASE-L Mailing List >>Subject: [RBASE-L] - Re: New Worm >> >> >>What was the probable source of this worm? (i.e., why didn't my ISP pick it >>up?) >> >>What a pain! I would love to be in a locked room with all the worms who >>write worms and viruses for just a day. >> >>Thanks for the heads-up, >> >>Dennis >> >> >>At 11:00 PM 8/11/2003 -0400, you wrote: >>>Buddy, >>>It's called W32.Blaster.worm >>>The symptom is, it will perform a shutdown as soon as you boot up, it >>>generously gives you a minute to close any open processes. >>>You have to reboot in safe mode with networking to do the following. >>> >>>I got it. Now it's gone, took me several hours. >>> >>>If using NAV goto www.sarc.com for instructions >>>Basically do regedit, find msblast.exe and delete it. >>>In XP Pro run task mgr and if cmd.exe is running, highlight it and click >>>end process >>> >>>Before doing all this you should set system restore off, so what U R doing >>>doesn't get registered in case you have to roll back. >>>Then go to >http://securityresponse.symantec.com/avcenter/defs.download.html >>>This will download the urgent visrus defs. The live update is only updated >>>each Wednesday, this site has the downloads for virus's found immediately. >>> >>>Good Luck >>>----- Original Message ----- >>>From: "Walker, Buddy" <[EMAIL PROTECTED]> >>>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> >>>Sent: Monday, August 11, 2003 7:12 PM >>>Subject: [RBASE-L] - New Worm >>> >>> >>> >>> >>>You may want to take a look at this URL: >>>http://isc.sans.org/diary.html?date=2003-08-11 >>> >>>It's a new RPC worm that is going around. If one of your client machines >>>has it, it may be spread it to the server. >>> >>>Buddy >>> >>> >>> >>Dennis Fleming >>IISCO >>http://www.TheBestCMMS.com >>Phone: 570 775-7593 >>Fax: 570 775-9797 >> >> >> >Dennis Fleming >IISCO >http://www.TheBestCMMS.com >Phone: 570 775-7593 >Fax: 570 775-9797 > > > Dennis Fleming IISCO http://www.TheBestCMMS.com Phone: 570 775-7593 Fax: 570 775-9797
