Thank you Nicky - very detailed! David Blocker
----- Original Message ----- From: "Nicky Avery" <[EMAIL PROTECTED]> To: "RBASE-L Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 11:23 PM Subject: [RBASE-L] - Re: New Worm > > > David M. Blocker wrote: > > >The Norton site on this stinks - it gives highly technical steps to follow > >to block the invasion (e.g. "Block these ports") without any specific > >directions on how to do it. > > > > > > > David, > > This is from CERT, a federally-funded organization attached to CMU - > your tax dollars at work! It's bit clearer than SARC's offering, I think. > > > > > > > > > W32/Blaster Recovery Tips > > > > (Accompanying CERT advisory CA-2003-20 > > <http://www.cert.org/advisories/CA-2003-20.html>) > > > > > > Steps to recover from W32/Blaster > > > > These instructions are designed for Windows XP. Under some > > circumstances, these instructions may not completely disable the worm > > or protect the system from re-infection. See Notes > > <http://www.cert.org/tech_tips/w32_blaster.html#notes>. > > > > 1. Physically disconnect the machine from the network (remove > > phone/network cable, wireless card). > > 2. Kill the "msblast.exe" process using Task Manager. > > 1. Press Ctrl-Alt-Delete key combination > > 2. Click "Task Manager" button > > 3. Select "Processes" tab > > 4. Highlight "msblast.exe" > > 5. Click "End Process" button, answer "Yes" to warning dialog > > 3. Delete any files named "msblast.exe" on the machine. > > 1. Start -> Search -> Find Files or Folders > > 2. Search for "msblast.exe" > > 3. Right-click each file and delete it > > 4. (Optional) Disable DCOM > > From MS03-026 > > <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bul letin/MS03-026.asp>: > > > > 1. Run Dcomcnfg.exe. > > If you are running Windows XP or Windows Server 2003 > > perform these additional steps: > > * Click on the Component Services node under Console Root. > > * Open the Computers sub-folder. > > * For the local computer, right click on My Computer > > and choose Properties. > > * For a remote computer, right click on the Computers > > folder and choose New then Computer. Enter the > > computer name. Right click on that computer name and > > choose Properties. > > 2. Choose the Default Properties tab. > > 3. Select (or clear) the Enable Distributed COM on this > > Computer check box. > > 4. If you will be setting more properties for the machine, > > click the Apply button to enable (or disable) DCOM. > > Otherwise, click OK to apply the changes and exit > > Dcomcnfg.exe. > > > > The rest below refers to the built-in XP firewall. If you already have a > hardware firewall (and you should), the ports described should normally > be closed anyway and a hardware firewall in your gateway/router plus a > software firewall on your PC should normally suffice. If you're not > running XP, ZoneAlarm, downloadable at http://www.zonelabs.com as > freeware (look hard) and a regular product, enables you to monitor apps > trying to call home on the internet and send e-mail as well as scan > e-mail for viruses/scripts. > > > 1. > > > > > > 2. Enable Internet Connection Firewall (ICF) > > From Microsoft Knowledge Base Article 283673 > > <http://support.microsoft.com/default.aspx?scid=kb;en-us;283673>: > > 1. In Control Panel, double-click Networking and Internet > > Connections, and then click Network Connections. > > 2. Right-click the connection on which you would like to > > enable ICF, and then click Properties. > > 3. On the Advanced tab, click the box to select the option to > > Protect my computer or network. > > 4. If you want to enable the use of some applications and > > services through the firewall, you need to enable them by > > clicking the Settings button, and then selecting the > > programs, protocols, and services to be enabled for the > > ICF configuration > > 3. Reboot the machine and reconnect to the network. > > 4. Install the patch from Windows Update > > <http://windowsupdate.microsoft.com/>, or MS03-026 > > <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bul letin/MS03-026.asp>. > > > > 1. Using Internet Explorer, go to Windows Update > > <http://windowsupdate.microsoft.com/> and follow the > > instructions there to install any available patches. > > 5. Read and apply the clean up measures outlined in MS03-026 > > <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bul letin/MS03-026.asp>. > > > > > > > > Notes > > > > * The worm may exist as processes and files with names other than > > "msblast.exe." > > * It has been reported that AOL network connections do not display > > an option to use ICF. > > * Disabling DCOM may break things and may be unnecessary (assuming > > that the worm is completely disabled and ICF is enabled). > > * Another type of host-based or network firewall can be used to > > block 135/tcp. > > * Save yourself the trouble next time by blocking 135, 137, 138, > > 139, and 445 tcp and udp inbound and outbound. This will block > > most MS networking traffic. Leaving ICF enabled will stop > > unsolicited inbound network traffic. Unless it breaks something, > > leave ICF enabled. > > > > > > More Information > > > > <http://www.cert.org/advisories/CA-2003-20.html> > > <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAS T.A> > > > If you want to know how open your computer and/or network is, one free > site is Steve Gibson's "Shields UP!" at https://grc.com/x/ne.dll?bh0bkyd2 > > Nicky >
