Blaster Worm
- Thread starter listedguru
- Start date
We have a cat - can I sleep in the cathouse instead?
Cox cable was down for 2 hours last night as they re-set their routers.
Damn MSFT to hell for this; it's always a "windows vulnerability issue". We hardly hear of Linux problems, do we?
The Microsoft security update (patch) was advertised and posted about 3+ weeks ago.
Is your XP machine connected naked to the internet (i.e., without a router or firewall between it and your connection point)?
Machines behind NAT routers and firewalls should not be susceptible to the Blasterworm's attack - it attacks through an RPC DCOM flaw that exists if you don't apply the security update.
You hardly hear about Linux problems (even though there are loads of them) because most hackers don't bother with it - Windows dominiates 90%+ of all the desktop machines. So of course they'll target the largest # of machines they can - why would you bother attacking Macs and Linux (even with all the known exploits for those systems).
Not to mention that most people don't bother to regularly check for available updates and routinely let their machines sit connected to the internet 24 hours a day without so much as a condom protecting it.
Getting hammered by Blasterworm at this point (multiple weeks AFTER the security update was published) isn't Microsoft's fault.
Make sure you've stopped the process first - you can't delete the program file while the program is still running. Go to the Task Manager and kill the msblast process. Then delete the program file. If you still can't delete it, check the file properties and make sure it's not set to read only or system file. If it is, change the properties so you can delete it.
gotta_trade,
I'm quite certain that your Linksys router has a built-in firewall (consumer-grade routers usually do). If so, Linksys is quite reliable and you needn't worry. Here's how to be sure it's firewalling incoming traffic:
Click here https://grc.com/x/ne.dll?bh0bkyd2 and find the Probe My Ports and Test My Shields links. If this doesn't work (it's not working for me now) go to grc.com, click on Shields UP, and again follow the Shields UP link. The site can be a nightmare to navigate so have patience. Anyway, this will show you which ports you have open. They should all show as closed (unless you're running something that requires an open port like a webserver or ftp server or telnet server, etc), and ideally they should say "stealth."
--opm8
This is a really excellent hardware firewall:
http://www.sonicwall.com/products/soho3.html
I've used a SonicWALL firewall for several years now, and although my firewall logs are full of connection attempts every day, absolutely nothing ever gets through.
For close application control and immediate notice of outbound attempts, it's a good idea to also run a software firewall like ZoneAlarm on the PC itself.
Recent SonicWALL firewall logs are just full of port 135 connection attempts. Hundreds of entries like this:
08/11/2003 15:46:19.480 - TCP connection dropped - Source:216.254.20.47, 2834, WAN - Destination: 135, LAN - 'RPC Mapper' - Rule 0
08/11/2003 15:53:37.640 - TCP connection dropped - Source:216.254.16.134, 3923, WAN - Destination: 135, LAN - 'RPC Mapper' - Rule 0
08/11/2003 16:02:03.896 - TCP connection dropped - Source:216.253.83.63, 3933, WAN - Destination: 135, LAN - 'RPC Mapper' - Rule 0
Usually the port 135 attempts are spam popups (all blocked), but this is much more. Something new is definitely on the loose.
http://www.sonicwall.com/products/soho3.html
I've used a SonicWALL firewall for several years now, and although my firewall logs are full of connection attempts every day, absolutely nothing ever gets through.
For close application control and immediate notice of outbound attempts, it's a good idea to also run a software firewall like ZoneAlarm on the PC itself.
Recent SonicWALL firewall logs are just full of port 135 connection attempts. Hundreds of entries like this:
08/11/2003 15:46:19.480 - TCP connection dropped - Source:216.254.20.47, 2834, WAN - Destination: 135, LAN - 'RPC Mapper' - Rule 0
08/11/2003 15:53:37.640 - TCP connection dropped - Source:216.254.16.134, 3923, WAN - Destination: 135, LAN - 'RPC Mapper' - Rule 0
08/11/2003 16:02:03.896 - TCP connection dropped - Source:216.253.83.63, 3933, WAN - Destination: 135, LAN - 'RPC Mapper' - Rule 0
Usually the port 135 attempts are spam popups (all blocked), but this is much more. Something new is definitely on the loose.
Just got this email:
We are writing to inform all of our customers running Microsoft Windows 2000 or XP operating systems of a recent viral threat to the Internet. If you do not have any computers running either of these operating systems, you may disregard this alert.
The most recent virus threat to the Internet, "W32.Blaster.Worm", also known as, W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan[F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda] has been upgraded by Symantec to a Category 4 (of 5) threat.
This worm exploits the DCOM RPC vulnerability using TCP port 135. It then attempts to download and run the Msblast.exe file.
Although the main activity of this worm is set to trigger on 8/16/03, the worm's impact is already being felt as the traffic generated by the propagation decreases the overall throughput of everyone accessing the Internet.
Due to the widespread propagation of this worm and serious nature of the threat, we are alerting all of our customers and request that you take immediate steps to ensure all of your machines are secured against this worm.
For further detail regarding this worm, please visit:
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
McAffee:
http://us.mcafee.com/virusInfo/default.asp?id=lovsan
To remove this worm from your system, please visit:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Once you have removed the worm from your system, please download the patch detailed in Microsoft Security Bulletin MS03-026:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
This bulletin's FAQ details other options for securing your machine against this threat.
Additionally, we ask that you run a full 'Microsoft Update' to ensure your machine is fully protected from this worm and any other security concerns. It will be necessary to reboot all machines that are patched and updated, otherwise the updates will not take affect.
A final, advanced, step to fully secure your network is to close port 135/tcp (and, if possible, 135-139, 445 and 593), and monitor TCP Port 444 and UDP Port 69 (tftp), which are also utilized by this worm.
We are writing to inform all of our customers running Microsoft Windows 2000 or XP operating systems of a recent viral threat to the Internet. If you do not have any computers running either of these operating systems, you may disregard this alert.
The most recent virus threat to the Internet, "W32.Blaster.Worm", also known as, W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan[F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda] has been upgraded by Symantec to a Category 4 (of 5) threat.
This worm exploits the DCOM RPC vulnerability using TCP port 135. It then attempts to download and run the Msblast.exe file.
Although the main activity of this worm is set to trigger on 8/16/03, the worm's impact is already being felt as the traffic generated by the propagation decreases the overall throughput of everyone accessing the Internet.
Due to the widespread propagation of this worm and serious nature of the threat, we are alerting all of our customers and request that you take immediate steps to ensure all of your machines are secured against this worm.
For further detail regarding this worm, please visit:
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
McAffee:
http://us.mcafee.com/virusInfo/default.asp?id=lovsan
To remove this worm from your system, please visit:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Once you have removed the worm from your system, please download the patch detailed in Microsoft Security Bulletin MS03-026:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
This bulletin's FAQ details other options for securing your machine against this threat.
Additionally, we ask that you run a full 'Microsoft Update' to ensure your machine is fully protected from this worm and any other security concerns. It will be necessary to reboot all machines that are patched and updated, otherwise the updates will not take affect.
A final, advanced, step to fully secure your network is to close port 135/tcp (and, if possible, 135-139, 445 and 593), and monitor TCP Port 444 and UDP Port 69 (tftp), which are also utilized by this worm.
It's set to read only mode. If you're familiar with DOS Mode (command prompt), go to the directory the file is located (usually winnt/system) and type the following.
attrib -r msblast.exe
del msblast.exe
If you are unable to delete this file after doing this, it's because the program is running. You'll need to shut down, boot in dos mode only, then delete the file that way.
