• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

New Computer Worm is.... Helpful???

guyver01

guyver01

Lifer
New Internet Worm Tries to Patch Windows Hole

Reuters

A new computer worm is spreading worldwide through a security hole in Windows -- also used by last week's Blaster worm -- but then patching the hole instead of crashing the system like Blaster does, security experts said on Monday.

The new worm, dubbed "Welchia" or "Nachi," is similar to Blaster, but it purports to patch the hole Blaster exploited to enter into computers in the first place and tries to clean up after Blaster if the computer is infected with it.

Despite the apparently good intentions of the new worm, spreading "good" worms is a very bad idea, said Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc. NET.N ,

"You would rather not have somebody rebooting your machine in the middle of what you are doing, regardless of their intentions," he said.

 
Well, you gotta figure that the same people who were dumb enough to get the blaster worm will be just as clueless when the problem is fixed for them.

Too bad MS couldn't do it for them.
 
Originally posted by: Stark
Well, you gotta figure that the same people who were dumb enough to get the blaster worm will be just as clueless when the problem is fixed for them.
Click to expand...

I agree. While it might not be the nicest way to cure the problem, it won't affect users already patched, and it will hopefully spread with the same ludicrous speed.

- M4H
 
Turns out that worm is destroying the company I am at now.

It wasnt the blaster as I thought it was.

The worm is not good.

It has brought our internet traffic to a standstill.
 
Originally posted by: LordJezo
Turns out that worm is destroying the company I am at now.

It wasnt the blaster as I thought it was.

The worm is not good.

It has brought our internet traffic to a standstill.
Click to expand...

Ouch. The only one new one I've seen so far today is W32/Mimail@MM. Gotta love the firewall.
 
ok

here is what i found

when you get this "nice" worm it fixes you but then starts sending out icmp echo request things. it finds somebody, goes on them, and they start doing it. eventually you will havee everyone pinging everyone and everything dies. which is what is going on here. because everyone's pc is looking to "fix" everyone elses pc its a terrible cascade of ping death bringing everything to a standstill.

ATT was hit by it yesterday and it made it here today.

w00t.
 
Originally posted by: LordJezo
ok

here is what i found

when you get this "nice" worm it fixes you but then starts sending out icmp echo request things. it finds somebody, goes on them, and they start doing it. eventually you will havee everyone pinging everyone and everything dies. which is what is going on here. because everyone's pc is looking to "fix" everyone elses pc its a terrible cascade of ping death bringing everything to a standstill.

ATT was hit by it yesterday and it made it here today.

w00t.
Click to expand...

Were these icmp packets using port 8? I've noticed a huge increase in icmp packets being blocked by the firewall, attempting to reach port 8 on all my servers.

Just wondering if msblast.d was the cause of this.
 
Originally posted by: VictorLazlo
Originally posted by: LordJezo
ok

here is what i found

when you get this "nice" worm it fixes you but then starts sending out icmp echo request things. it finds somebody, goes on them, and they start doing it. eventually you will havee everyone pinging everyone and everything dies. which is what is going on here. because everyone's pc is looking to "fix" everyone elses pc its a terrible cascade of ping death bringing everything to a standstill.

ATT was hit by it yesterday and it made it here today.

w00t.
Click to expand...

Were these icmp packets using port 8? I've noticed a huge increase in icmp packets being blocked by the firewall, attempting to reach port 8 on all my servers.

Just wondering if msblast.d was the cause of this.
Click to expand...

ICMP does not use ports, it's an entirely different protocol atop IP that's disparate from TCP or UDP. What you're experiencing is probably a connection attempt on port 8 using TCP.
 
Got the one circulating this AM from my Hotmail account.

Tells you to click for details then to download a form in .pif format. McAffe at hotmail let it through.

Knew I had it right away as lights on both my router and cable modem began rapidly blinking and computer slowd way down.

Only good thing, it was easy enough to get rid of.

Sorry I cant give you any more technical details than it was of the SOBIG variety.
 
Originally posted by: VictorLazlo
Originally posted by: LordJezo
ok

here is what i found

when you get this "nice" worm it fixes you but then starts sending out icmp echo request things. it finds somebody, goes on them, and they start doing it. eventually you will havee everyone pinging everyone and everything dies. which is what is going on here. because everyone's pc is looking to "fix" everyone elses pc its a terrible cascade of ping death bringing everything to a standstill.

ATT was hit by it yesterday and it made it here today.

w00t.
Click to expand...

Were these icmp packets using port 8? I've noticed a huge increase in icmp packets being blocked by the firewall, attempting to reach port 8 on all my servers.

Just wondering if msblast.d was the cause of this.
Click to expand...

I thought that ICMP did not use ports?

 
Originally posted by: Stark
Well, you gotta figure that the same people who were dumb enough to get the blaster worm will be just as clueless when the problem is fixed for them.

Too bad MS couldn't do it for them.
Click to expand...

Well, MS could've done it form them. It's called Automatic Updates. It's not MS' fault that so many people ignore those little balloons.
 
Originally posted by: NogginBoink
Originally posted by: Stark
Well, you gotta figure that the same people who were dumb enough to get the blaster worm will be just as clueless when the problem is fixed for them.

Too bad MS couldn't do it for them.
Click to expand...

Well, MS could've done it form them. It's called Automatic Updates. It's not MS' fault that so many people ignore those little balloons.
Click to expand...


not only that, but grc.com was warning about the rpc flaw almost for a year and released 'leak test'
to test your firewall program against it.
 
By port 8 you probably mean type 8.

ICMP message type 8 is echo request. Response is normally supposed to be type 0 (if you don't have the response turned off completely).

BTW, the ability to crash any windows machine by connecting to it and sending garbage to netbios ports (used by RPC) has been well known since at least Windows 3.0.
 
Originally posted by: Descartes
Originally posted by: VictorLazlo
Originally posted by: LordJezo
ok

here is what i found

when you get this "nice" worm it fixes you but then starts sending out icmp echo request things. it finds somebody, goes on them, and they start doing it. eventually you will havee everyone pinging everyone and everything dies. which is what is going on here. because everyone's pc is looking to "fix" everyone elses pc its a terrible cascade of ping death bringing everything to a standstill.

ATT was hit by it yesterday and it made it here today.

w00t.
Click to expand...

Were these icmp packets using port 8? I've noticed a huge increase in icmp packets being blocked by the firewall, attempting to reach port 8 on all my servers.

Just wondering if msblast.d was the cause of this.
Click to expand...

ICMP does not use ports, it's an entirely different protocol atop IP that's disparate from TCP or UDP. What you're experiencing is probably a connection attempt on port 8 using TCP.
Click to expand...

My bad. it's the way my firewall log reports the alarm:
flt_action=block
msg="Block RAF (16)"
rule=16
proto=icmp
src=12.xxx.xxx.xxx
srcport=8
dst=12.xxx.xxx.xxx
dstport=8

I wonder why it does that?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top