Re: BLASTER WORM - was Re: can I change RE: into something else?
Tuesday, August 12, 2003, 1:05:28 PM, Spike wrote: S The risk is MINIMAL as long as you have not altered the S default settings in TB! This is under Options Preferences S Warnings. As long as you don't EXECUTE any questionable S attachment that comes through, you will probably be OK. I'm a little confused about by what you're saying. My reading of the MS bulletin says Blaster is a worm that propagates via the RPC ports. If you're on-line and nothing is blocking ports 135, 139, 445 you can get infected even without e-mail. Does Blaster also propagate via e-mail? If so, then TB!'s warnings about executing attachments will make a difference. PS - Thank you to Alexander [EMAIL PROTECTED] (neuroWerx) for his pointer to the Symantec Blaster scanner/removal tool. I'm running it now. Here's the link for others who might have missed that post: http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html H. The tool just crashed with a memory error after running for several minutes. Has anyone else run this? -- Dave Kennedy Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
Hello tbudlers, Further to this, you MUST make sure that your Windows installation has been FULLY patched with all the latest updates. This vulnerability has been addressed, but ONLY if you have regularly and RELIGIOUSLY executed all the updates. If you fail to do this, you are vulnerable. Almost ALL the infections I have found have been traced to users accessing their Hotmail from a browser. There are other vectors of infection, but this seems to be the common thread. ALL my clients have a prohibition against employees accessing webmail at work, but they are not ENFORCING it, much to their detriment. I have one law firm that is TOTALLY down with no machines working in the office at present. They are all XP machines, which figures! I will be leaving for their offices shortly after I send this. There is a tool available to check for (and remove) BLASTER at: http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html -- Warmest tropical wishes, Spike Quote for the nanosecond: Ability is a good thing but stability is even better. /\ ASCII Ribbon Campaign - Against HTML Mail \ / If it aint a webpage it shouldn't be HTML. XSay NO! to bloatmail - ban HTML mail! / \ Ask Spikey, he hates everything (HTML). -- Using TheBat! v1.62r hamstrung by Windows XP 5.1 Build 2600 Service Pack 1' -- Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
12-Aug-2003 19:05, [EMAIL PROTECTED] wrote: The risk is MINIMAL as long as you have not altered the default settings in TB! This is under Options Preferences Warnings. As long as you don't EXECUTE any questionable attachment that comes through, you will probably be OK. Sorry for continuing this OT thread, but I find it highly important. Spike, what you write is just plain wrong. Blaster is not dependant on email *at all*. Please, don't spread half-knowledge and confuse people with it. The only permanent cure against Blaster (or any other worm that is yet to come, exploiting the same vunerability) is to close Port 135, 139, 445 for remote access from the internet with a firewall (even the built-in fw in WinXP will do) and install the KB823980 patch from MS. *Anyone* with WinNT4, 2000 or XP is advised to do so immediately, read MS03-26. -- Best regards, Alexander (http://www.neurowerx.de) The release of atom power has changed everything except our way of thinking...the solution to this problem lies in the heart of mankind. If only I had known, I should have become a watchmaker. -- Albert Einstein Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
12-Aug-2003 19:15, [EMAIL PROTECTED] wrote: H. The tool just crashed with a memory error after running for several minutes. Has anyone else run this? If ran it on various WinXP systems today without problems. -- Best regards, Alexander (http://www.neurowerx.de) Almost anything you do will be insignificant, but it is very important that you do it. -- Mohandas K. Gandhi Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 @13-Aug-2003, 16:13 Marck [MDP] in mid:[EMAIL PROTECTED] said to Dave: MDP Date : 12-Aug-2003, 13:15 -0400 (18:15 UK time) MDP From : Dave Kennedy [EMAIL PROTECTED] MDP Refr : mid:[EMAIL PROTECTED] More apologies. I was trying to forward this warning to someone else (who has been infected) and TBv2, yet again, changed the darned address back!!! Sorry folks. I must remember that it's doing that!!! :-( - -- Cheers -- .\\arck D Pearlstone -- List moderator TB! v2.0 Beta/1 on Windows XP 5.1.2600 Service Pack 1 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPzpcfTnkJKuSnc2gEQK9MACg4nAOJ9TRV9gi5HQ+HBDFUJFKa38AoLCx fCRUp97qk9/yxpOGsZ4lMr+b =v3Sz -END PGP SIGNATURE- Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
OT: Re: BLASTER WORM - was Re: can I change RE: into something else?
Hello All, moderator While the moderators certainly wish to foster a community within the TB users so that we can all help each other, this thread would be more suitable for discussion on the TBOT lists. 1. This is not an e-mail centric worm. 2. It has nothing to do with TB even remotely. 3. Most of the ground has been covered here on TBUDL Please continue this on TBOT (I've CC'd the TBOT list with this message to continue the thread there.) Thank you. /moderator -- Leif (TB list moderator and fellow end user). Using The Bat! 2.0 Beta/1 under Windows 2000 5.0 Build 2195 Service Pack 3 on a Pentium 4 2GHz with 512MB Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
Date : 12-Aug-2003, 13:15 -0400 (18:15 UK time) From : Dave Kennedy [EMAIL PROTECTED] Refr : mid:[EMAIL PROTECTED] Original Message ~ Tuesday, August 12, 2003, 1:05:28 PM, Spike wrote: S The risk is MINIMAL as long as you have not altered the S default settings in TB! This is under Options Preferences S Warnings. As long as you don't EXECUTE any questionable S attachment that comes through, you will probably be OK. I'm a little confused about by what you're saying. My reading of the MS bulletin says Blaster is a worm that propagates via the RPC ports. If you're on-line and nothing is blocking ports 135, 139, 445 you can get infected even without e-mail. Does Blaster also propagate via e-mail? If so, then TB!'s warnings about executing attachments will make a difference. PS - Thank you to Alexander [EMAIL PROTECTED] (neuroWerx) for his pointer to the Symantec Blaster scanner/removal tool. I'm running it now. Here's the link for others who might have missed that post: http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html H. The tool just crashed with a memory error after running for several minutes. Has anyone else run this? -- Dave Kennedy Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html ~ End of Original Message ~ Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
Hello Spike, On Tue, 12 Aug 2003 12:23:46 -0500 GMT your local time, which was Wednesday, August 13, 2003, 12:23:46 AM (GMT+0700) my local time, Spike wrote: There is a tool available to check for (and remove) BLASTER at: http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html Am downloading it as I guess I will be busy, Sofar none of my customers have been hit -- Best regards, tracer Using theBAT 1.63 Beta/11 mail to : [EMAIL PROTECTED] C.C.S. Associates FAX (USA): (208) 460-3753 pgp 6.5.3 : 0x909D9B10 Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
Ah, yes... the layman's article. I love the fact that the web link for MS is http://cgi.money.cnn.com/mgi/mgi_search?QUERY=MSFT and there's no link for downloading the patches to fix things up. -Mark Wieder Using The Bat! v1.63 Beta/7 on Windows 2000 5.0 Build 2195 Service Pack 2 -- Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
Hello Spike, On Tue, 12 Aug 2003 12:23:46 -0500 GMT (13/08/2003, 00:23 +0700 GMT), Spike wrote: Further to this, you MUST make sure that your Windows installation has been FULLY patched with all the latest updates. This vulnerability has been addressed, but ONLY if you have regularly and RELIGIOUSLY executed all the updates. If you fail to do this, you are vulnerable. Almost ALL the infections I have found have been traced to users accessing their Hotmail from a browser. OK. I'm running Win98, so I'm not vulnerable, right? (This is the first question.) My friend checked his Hotmail on my computer. Would he have had to have downloaded anything to cause an infection, or would opening a mail received by Hotmail have sufficed? (This is the second question.) http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html This website has been loading for ages. May be over-loaded... -- Cheers, Thomas. Moderator der deutschen The Bat! Beginner Liste. CHRISTOPHER HOPE was disappointed by the warning he spotted on a gallon container of the laboratory disinfectant Hibitane. Avoid contact with brain, it told him, thereby spoiling his plans for a fun-filled afternoon drilling holes in his skull and pouring disinfectant into them. Message reply created with The Bat! 2.0 Beta/1 under Chinese Windows 98 4.10 Build A using a Pentium P4 1.7 GHz, 128MB RAM Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: BLASTER WORM - was Re: can I change RE: into something else?
Hello Alexander, On or about Tuesday, August 12, 2003 at 19:23:08GMT +0200 (which was 12:23 PM in the tropics where I live) Alexander posted: A Sorry for continuing this OT thread, but I find it highly A important. A Spike, what you write is just plain wrong. Blaster is not dependant A on email *at all*. Please, don't spread half-knowledge and confuse A people with it. I'm just going by my EXPERIENCE here _in the Cayman Islands_. The common denominator is UNPATCHED Windows installations AND access to webmail by people violating company protocols. There are many who are uninfected, despite being on the same network and node of an infected system, but have not accessed webmail. ALL my clients run the built- in WIN-XP firewall, which may account for this. *Anyone* with WinNT4, 2000 or XP is advised to do so immediately, read MS03-26. A thorough search of the Microshaft site for this 'MS03-26' returned _NO ON-TOPIC_ hits! I ran into this before when someone sent me this last week. The MS site is very poorly indexed, if you ask me! However this came up in a search for KB823980: Download details: Windows Server 2003 64-Bit Edition Security Patch: Buffer Overrun In RPC Interface Could Allow Code Execution http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=2b566973-c3f0-4ec1-995f-017e35692bc7 Download details: Windows 2000 Security Patch: Buffer Overrun In RPC Interface Could Allow Code Execution http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=c8b8a846-f541-4c15-8c9f-220354449117 Download details: Windows XP Security Patch: Buffer Overrun In RPC Interface Could Allow Code Execution http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=2354406c-c5b6-44ac-9532-3de40f69c074 823980 - MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution http://support.microsoft.com/default.aspx?scid=kb;en-us;823980 Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/ms03-026.asp Thanks for the information. The 'market' here is very isolated, and my remarks were based upon real-life experience in this market. I have an unpatched WIN2K system on an open ADSL connection with NO FIREWALL (a test system) that is unaffected at this time, and by all expectations SHOULD be by now. I use this system exclusively to record local radio talk shows with a program called 'Total Recorder.' Only in the last few months has XP become commonplace here, and over 50% of corporate clients here still run WIN98 or NT-4 on their average desktop. The most common server here is still NT-4. Any 'misleading' information was unintended. I'll say no more on this topic, if only because it is trout bait. -- Warmest tropical wishes, Spike Quote for the nanosecond: Heaven can wait, Hell is often a bit more aggressive. /\ ASCII Ribbon Campaign - Against HTML Mail \ / If it aint a webpage it shouldn't be HTML. XSay NO! to bloatmail - ban HTML mail! / \ Ask Spikey, he hates everything (HTML). -- Using TheBat! v1.62r hamstrung by Windows XP 5.1 Build 2600 Service Pack 1' -- Current version is 1.62r | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
