[RBASE-L] - Re: New Worm

[Eric Peterson]

How about the Microsoft Security Bulletin list?  If you were on that list, you’d have known about this exploit and patch a month ago.     Eric Peterson IT Manager QMI Security Solutions   -----Original Message----- From: Gunnar Ekblad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 11:08 AM To: RBASE-L Mailing List Subject: [RBASE-L] - Re: New Worm   Eric Can I add! I know of no better list. These lists have helped me many times. It might be true that some of us dont know everything about everything. But all together we know a whole lot and that is just the point, we help each other according to our best knowledge! So I will keep listing to the list and use my own judgment what to follow and what not to follow!   Gunnar Ekblad   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Peterson Sent: den 14 augusti 2003 02:42 To: RBASE-L Mailing List Subject: [RBASE-L] - Re: New Worm   Here you go, in plain English.  Don't listen to the people on this list. 98% of the people here aren't true admins and wouldn't be able to tell you what a hard drive looks like (and it's not that big box with the word Dell on it).  98% of the people on this list also think that Microsoft is the reason they get diarrhea.  What you need to do is pay attention to updates that are released and be aware of what they're for. Don't blindly install things, but at the same time, stay current.   Microsoft has more programmers on staff than you could possibly imagine. Their updates are thought out and tested.  Sometimes mistakes are made. I'd rather install an update and have a reason to call them and complain, than not install an update and have no recourse when I'm the victim of an exploit.  STAY CURRENT ON UPDATES.  People who tell you about problems after an update most likely have something unique or wrong with their system, but yes it is true, *sometimes* an error is made and an update *could* cause a problem.    All your Rbase are belong to MS.   Eric Peterson IT Manager QMI Security Solutions     -----Original Message----- From: David M. Blocker [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 7:09 PM To: RBASE-L Mailing List Subject: [RBASE-L] - Re: New Worm   May I get some clarification here?   Several months ago there were many  many warnings on this site that it was NOT a good idea to automatically use all the updates Microsoft sent out for XP computers. This advice was emphatic and came from MANY of you.  As a result I have NOT EVER gone to MS site to get updates.   NOW I'm hearing - keep current! Get all the updates!!   Can someone please tell me:   1. In plain english, yes or no: the updates are a good idea? Or is it not that simple? And if not, what to do?   2.  The specific steps - website address / options on that screen to pick, steps to follow - to protect against this worm.   The Norton site on this stinks - it gives highly technical steps to follow to block the invasion (e.g. "Block these ports") without any specific directions on how to do it.   I've yet to see a straightforward, Razzak style   Step 1 Step 2   etc. description of what to do!   Any help out there?   David Blocker   ----- Original Message ----- From: "Ben Johansen" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 2:24 PM Subject: [RBASE-L] - Re: New Worm     > I agree, > > MS had a patch out for this worm 3 weeks ago. Just once a week go to > windows update. > > I would do it before August 16th because this worm is set to launch a > DDOS attack on the windows update site then ;-) > > Ben Johansen - http://www.pcforge.com > Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm > Authorized MDaemon Mail Server Reseller > http://www.pcforge.com/AltN.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. > Stephen Wills > Sent: Wednesday, August 13, 2003 11:09 AM > To: RBASE-L Mailing List > Subject: [RBASE-L] - Re: New Worm > > As some have said, and I would re-iterate, everyone please apply ALL the > necessary patches/updates fm Microsoft as it appears, TTBOMK, that > simply > removing the offending virus is not (necessarily) a preventive measure. > That is, a system will still be vulnerable, anti-virus code > notwithstanding, > to such attacks if its O/S is not also made current. > > My $0.02, > Steve in Memphis > > ----- Original Message ----- > From: "Ben Johansen" <[EMAIL PROTECTED]> > To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > Sent: Wednesday, August 13, 2003 12:33 PM > Subject: [RBASE-L] - Re: New Worm > > > > Hi, > > > > The people that fight these viruses are like bloodhounds. Once one of > > the big virus fighting labs catches wind of the virus, all of the > major > > players are notified. > > > > They go so far as to take a computer reformat it to a generic/standard > > setup un-infected and then infect it with the one virus and then the > go > > in and log all the changes (registry, new files, check sum on existing > > files) > > > > With the number of Eye looking, it is practically impossible for any > > remnants of the virus or another virus to be left once you have run > one > > of the cleaners from the various labs. > > > > So, once it is clean, it is Clean > > > > Ben Johansen - http://www.pcforge.com > > Authorized Witango Reseller http://www.pcforge.com/WitangoGoodies.htm > > Authorized MDaemon Mail Server Reseller > > http://www.pcforge.com/AltN.htm > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis > > Fleming > > Sent: Wednesday, August 13, 2003 6:38 AM > > To: RBASE-L Mailing List > > Subject: [RBASE-L] - Re: New Worm > > > > Thanks Ben, > > > > Some of my customers have asked if after they have loaded the Windows > > patch, and virus updates, and their PC is "OK", if there could still > be > > any > > residual damage, time released viruses, etc. > > > > I said probably not, but once a virus has invaded your PC, you really > > don't > > know. > > > > Dennis > > ***** > > > > > > At 12:43 AM 8/13/2003 -0700, you wrote: > > >Hi, > > > > > >>(I'm convinced my ISP wasn't clean.) > > >I don't think this is the case, upon reading about the worm, you will > > find > > >out that the worm takes an infected system and starts looking for ip > > address > > >with the ports open and not patched with the MS patch. > > >So it could have been any of the hijacked computers just coming at > you > > over > > >the internet. Now it still could be you ISP but you would have to > look > > in > > >log files (if on a server) to see. > > > > > >Workstations can be infected by this also > > > > > > > > >Details of this virus can be found here: > > >http://www.viruslist.com/eng/viruslist.html?id=61577 > > > > > >Summary of what it does: > > >http://www.kaspersky.com/news.html?id=985139 > > > > > >Ben Johansen - http://www.pcforge.com > > >-Authorized WiTango Reseller > > > http://www.pcforge.com/WitangoGoodies.htm > > >-Authorized Alt-N Reseller > > > http://www.pcforge.com/AltN.htm > > > > > >-----Original Message----- > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis > > >Fleming > > >Sent: Tuesday, August 12, 2003 6:38 PM > > >To: RBASE-L Mailing List > > >Subject: [RBASE-L] - Re: New Worm > > > > > > > > >For anyone else experiencing the joys of the world of computing... > > > > > >The problem I had was Norton removed W32.Blaster.worm, but then it > kept > > >coming back until I finally loaded the Windows XP patch. (I'm > convinced > > my > > >ISP wasn't clean.) > > > > > >The MS download for XP is: WindowsXP-KB823980-x86-ENU.EXE > > > > > >My lesson today: It's not enough just keeping your virus definitions > up > > to > > >date. You need to check on the critical Windows updates too. > > > > > >Dennis > > >***** > > > > > > > > >At 12:46 PM 8/1/2003 -0700, you wrote: > > >>I had it on four of my computers here. I do not know how it came in > > yet. > > >> > > >>I went to the symantec website. They have a removal tool for it. > > Really > > >easy > > >>to remove. > > >> > > >>Dan > > >> > > >>-----Original Message----- > > >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Dennis > > >>Fleming > > >>Sent: Tuesday, August 12, 2003 10:42 AM > > >>To: RBASE-L Mailing List > > >>Subject: [RBASE-L] - Re: New Worm > > >> > > >> > > >>What was the probable source of this worm? (i.e., why didn't my ISP > > pick it > > >>up?) > > >> > > >>What a pain! I would love to be in a locked room with all the worms > > who > > >>write worms and viruses for just a day. > > >> > > >>Thanks for the heads-up, > > >> > > >>Dennis > > >> > > >> > > >>At 11:00 PM 8/11/2003 -0400, you wrote: > > >>>Buddy, > > >>>It's called  W32.Blaster.worm > > >>>The symptom is, it will perform a shutdown as soon as you boot up, > it > > >>>generously gives you a minute to close any open processes. > > >>>You have to reboot in safe mode with networking to do the > following. > > >>> > > >>>I got it.  Now it's gone, took me several hours. > > >>> > > >>>If using NAV goto www.sarc.com for instructions > > >>>Basically do regedit, find msblast.exe and delete it. > > >>>In XP Pro run task mgr and if  cmd.exe is running, highlight it and > > click > > >>>end process > > >>> > > >>>Before doing all this you should set system restore off, so what U > R > > doing > > >>>doesn't get registered in case you have to roll back. > > >>>Then go to > > >http://securityresponse.symantec.com/avcenter/defs.download.html > > >>>This will download the urgent visrus defs. The live update is only > > updated > > >>>each Wednesday, this site has the downloads for virus's found > > immediately. > > >>> > > >>>Good Luck > > >>>----- Original Message ----- > > >>>From: "Walker, Buddy" <[EMAIL PROTECTED]> > > >>>To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> > > >>>Sent: Monday, August 11, 2003 7:12 PM > > >>>Subject: [RBASE-L] - New Worm > > >>> > > >>> > > >>> > > >>> > > >>>You may want to take a look at this URL: > > >>>http://isc.sans.org/diary.html?date=2003-08-11 > > >>> > > >>>It's a new RPC worm that is going around.  If one of your client > > machines > > >>>has it, it may be spread it to the server. > > >>> > > >>>Buddy > > >>> > > >>> > > >>> > > >>Dennis Fleming > > >>IISCO > > >>http://www.TheBestCMMS.com > > >>Phone: 570 775-7593 > > >>Fax:   570 775-9797 > > >> > > >> > > >> > > >Dennis Fleming > > >IISCO > > >http://www.TheBestCMMS.com > > >Phone: 570 775-7593 > > >Fax:   570 775-9797 > > > > > > > > > > > Dennis Fleming > > IISCO > > http://www.TheBestCMMS.com > > Phone: 570 775-7593 > > Fax:   570 775-9797 > > > >