Hi, >(I'm convinced my ISP wasn't clean.) I don't think this is the case, upon reading about the worm, you will find out that the worm takes an infected system and starts looking for ip address with the ports open and not patched with the MS patch. So it could have been any of the hijacked computers just coming at you over the internet. Now it still could be you ISP but you would have to look in log files (if on a server) to see.
Workstations can be infected by this also Details of this virus can be found here: http://www.viruslist.com/eng/viruslist.html?id=61577 Summary of what it does: http://www.kaspersky.com/news.html?id=985139 Ben Johansen - http://www.pcforge.com -Authorized WiTango Reseller http://www.pcforge.com/WitangoGoodies.htm -Authorized Alt-N Reseller http://www.pcforge.com/AltN.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis Fleming Sent: Tuesday, August 12, 2003 6:38 PM To: RBASE-L Mailing List Subject: [RBASE-L] - Re: New Worm For anyone else experiencing the joys of the world of computing... The problem I had was Norton removed W32.Blaster.worm, but then it kept coming back until I finally loaded the Windows XP patch. (I'm convinced my ISP wasn't clean.) The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE My lesson today: It's not enough just keeping your virus definitions up to date. You need to check on the critical Windows updates too. Dennis ***** At 12:46 PM 8/1/2003 -0700, you wrote: >I had it on four of my computers here. I do not know how it came in yet. > >I went to the symantec website. They have a removal tool for it. Really easy >to remove. > >Dan > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis >Fleming >Sent: Tuesday, August 12, 2003 10:42 AM >To: RBASE-L Mailing List >Subject: [RBASE-L] - Re: New Worm > > >What was the probable source of this worm? (i.e., why didn't my ISP pick it >up?) > >What a pain! I would love to be in a locked room with all the worms who >write worms and viruses for just a day. > >Thanks for the heads-up, > >Dennis > > >At 11:00 PM 8/11/2003 -0400, you wrote: >>Buddy, >>It's called W32.Blaster.worm >>The symptom is, it will perform a shutdown as soon as you boot up, it >>generously gives you a minute to close any open processes. >>You have to reboot in safe mode with networking to do the following. >> >>I got it. Now it's gone, took me several hours. >> >>If using NAV goto www.sarc.com for instructions >>Basically do regedit, find msblast.exe and delete it. >>In XP Pro run task mgr and if cmd.exe is running, highlight it and click >>end process >> >>Before doing all this you should set system restore off, so what U R doing >>doesn't get registered in case you have to roll back. >>Then go to http://securityresponse.symantec.com/avcenter/defs.download.html >>This will download the urgent visrus defs. The live update is only updated >>each Wednesday, this site has the downloads for virus's found immediately. >> >>Good Luck >>----- Original Message ----- >>From: "Walker, Buddy" <[EMAIL PROTECTED]> >>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> >>Sent: Monday, August 11, 2003 7:12 PM >>Subject: [RBASE-L] - New Worm >> >> >> >> >>You may want to take a look at this URL: >>http://isc.sans.org/diary.html?date=2003-08-11 >> >>It's a new RPC worm that is going around. If one of your client machines >>has it, it may be spread it to the server. >> >>Buddy >> >> >> >Dennis Fleming >IISCO >http://www.TheBestCMMS.com >Phone: 570 775-7593 >Fax: 570 775-9797 > > > Dennis Fleming IISCO http://www.TheBestCMMS.com Phone: 570 775-7593 Fax: 570 775-9797
