• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Please help me! (w32.blaster.worm thread)

T

titanmiller

Platinum Member
Could you please search your entire regestry for msblast
Somehow I seem to have gotten something that spread over my entire network. And it causes all of the computers to restart at the same time (I'm sure it does more). I searched google and sarc for msblast(.exe) but didnt find anything. I believe I have cleared two of my computers manualy by deleting every file and regestry key that contained msblast in the name, it appears to have worked. However the notebook still seems to have it, but only when connected to the internet.
 
Thank you SO much. I couldnt find anything. Sounds like it is a brand new virus, I have no idea where we picked it up either.
 
wow good timing, my grandmother called today and has this, it gives here an rpc violation, and a window pops up giving here 60seconds to save her files then promptly restarts.
 
Yes, it's a relatively new worm that attacks a security flaw in unpatched MS OSes that hackers attack with a buffer overun on RPC ports.

Similar in function to the SQL Server worm. 1st the flaw was discovered, then hackers scanned the 'Net for unpatched servers/pcs, then wrote a worm to attack (which also scans for unpatched servers/pcs to attack).

:|

A number of people I know are getting hit with this. Fortunately, I recently patched my systems (there are only 2 up and running), so everything here is ok (knock on wood).
 
Originally posted by: RaySun2Be
Yes, it's a relatively new worm that attacks a security flaw in unpatched MS OSes that hackers attack with a buffer overun on RPC ports.

Similar in function to the SQL Server worm. 1st the flaw was discovered, then hackers scanned the 'Net for unpatched servers/pcs, then wrote a worm to attack (which also scans for unpatched servers/pcs to attack).

:|

A number of people I know are getting hit with this. Fortunately, I recently patched my systems (there are only 2 up and running), so everything here is ok (knock on wood).
Click to expand...

So does that mean my pc is vunerable? I'm running a seperate pc as a router running linux. If so, what would i have to patch in xp?
 
Originally posted by: Coolkid
Originally posted by: RaySun2Be
Yes, it's a relatively new worm that attacks a security flaw in unpatched MS OSes that hackers attack with a buffer overun on RPC ports.

Similar in function to the SQL Server worm. 1st the flaw was discovered, then hackers scanned the 'Net for unpatched servers/pcs, then wrote a worm to attack (which also scans for unpatched servers/pcs to attack).

:|

A number of people I know are getting hit with this. Fortunately, I recently patched my systems (there are only 2 up and running), so everything here is ok (knock on wood).
Click to expand...

So does that mean my pc is vunerable? I'm running a seperate pc as a router running linux. If so, what would i have to patch in xp?
Click to expand...

unless you opened ports (*EDIT*) 135, 139, or 445 to allow incoming connection traffic into your LAN on these ports, you are ok. but run windows update anyway to get the fix
 
There are a lot of posts on the DSLReports Security forum that are saying you should block port 135 and 4444, as the worm seems to be targeting those ports.
 
I get targeted with this less than 1 min after hooking up a new install of Windows to my broadband.

It's not even long enough to download and install the patch also
rolleye.gif


Also, they don't have a patch for my Eval version (RC2) of Windows 2003 Server, so i'm screwed with that too


Garry
 
Windows Update hasn't seen a visit from me for at least three months (yes, I just forgot 😱), so I zipped over there last night and downloaded every security update in sight (those 20-some megabytes took a freaking long time on my dialup connection - also the reason why I decided to save the other slightly-less-important "critical" updates until this morning). I use WinXP's built-in ICF, so perhaps that's why I haven't been hit with this already (other than that, I see no reason why I shouldn't have gotten it).
 
Originally posted by: lobadobadingdong
wow good timing, my grandmother called today and has this, it gives here an rpc violation, and a window pops up giving here 60seconds to save her files then promptly restarts.
Click to expand...

Yep, thats what happened to us. But if it happened to one computer it happened to all of our computers at the same exact time.

Originally posted by: jliechty
Windows Update hasn't seen a visit from me for at least three months (yes, I just forgot 😱), so I zipped over there last night and downloaded every security update in sight (those 20-some megabytes took a freaking long time on my dialup connection - also the reason why I decided to save the other slightly-less-important "critical" updates until this morning). I use WinXP's built-in ICF, so perhaps that's why I haven't been hit with this already (other than that, I see no reason why I shouldn't have gotten it).
Click to expand...

Thats what I am planning on doing today. I have NEVER run windows update on any of my computers:Q. Is there some way to download stand alone patches so I only have to download them once?


I have no idea how I got it, but atleast it was easy to remove. In the process of getting rid of it I "accedentaly" deleted a regestry key not involved. It had something to do with my network connections control panel and when ever I would mouse over it to bring out the list of connections my computer would lockup. But fortunantly I had saved it to my desktop and simply fixed the problem.
 
Originally posted by: RaySun2Be
Yes, it's a relatively new worm that attacks a security flaw in unpatched MS OSes that hackers attack with a buffer overun on RPC ports.

Similar in function to the SQL Server worm. 1st the flaw was discovered, then hackers scanned the 'Net for unpatched servers/pcs, then wrote a worm to attack (which also scans for unpatched servers/pcs to attack).

:|

A number of people I know are getting hit with this. Fortunately, I recently patched my systems (there are only 2 up and running), so everything here is ok (knock on wood).
Click to expand...

Garry (Confused) just had this problem and he thought something was wrong with the OS and formatted the Hard Drive and loaded a different OS. It was probably this worm.


 
Originally posted by: titanmiller
Thats what I am planning on doing today. I have NEVER run windows update on any of my computers:Q. Is there some way to download stand alone patches so I only have to download them once?
Click to expand...
I could speculate on the reasons why you are so vehemently against running Windows Update on your computers (does the reason start with the well known letter sequence "FCKGW"? 😉), but there's a place at MS's site where you can download the patch.

There is a link in this TechNet article for your downloading convenience. 🙂
 
A client of mine called on this last night, I had her do a system restore and it still did it. So even if you have a firewall set up you are vulnerable unless you are patched correct?
 
I've only glanced at the thread so sorry if this is redundant...from the for what it's worth dept...
the MS patch requires at least a SP2 or better so prepare to have to do the upgrade if it's
been awhile...

it is nice to be able to copy the patch to floppy and take it machine to machine
and just run it from floppy...this way too I can email it to my remote locations and
tell'em that this is one attachment you want to run!

p.
 
Originally posted by: Coolkid
ok, thats cool, i havent opened port 3389 and i dont intend to. thanks guys 🙂
Click to expand...

yeah, i got the ports wrong, i thought this was a direct Terminal server attack, the correct ports are 135, 139, or 445 , sorry about that, read the MS technet article to get the whole scoop
linked
 
Most of the Windows updates and patches are downloadable outside of Windows Update.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/downloads/itdownloads/Default.asp

I have a few friends on dial-up, and so I download the patches for them, burn to CD, and take over.

MoFunk, the firewall should block access, unless port 135 or 4444 is open. My Linksys router was logging port 135 attacks every couple of seconds last night, from different PCs on my ISPs network.

I'm not sure a system restore will completely eradicate it. Did she do a virus scan with updated files? Check the Symantec site for complete removal instructions.
 
Originally posted by: titanmiller


Thats what I am planning on doing today. I have NEVER run windows update on any of my computers:Q. Is there some way to download stand alone patches so I only have to download them once?
Click to expand...

You might want to pick up 2k sp4 or xp sp1 first. Will consolidate alot of the updates into one (albeit rather large) package, but if you're deploying to multiple machines pickup the network installs which typically run a little over 100mb.

 
Well, it made a comeback on my network, one of the computers wasnt fully fixed.
I downloaded the symantec automatic removal tool which seemed to have worked. And then applied the patch to all of my computers. I'm keeping my network cables unplugged untill I'm sure its gone though.
 
I'm all clear now.

Installed the patch and turned on the internet connection firewall. I'm running Zone Alarm on my computer and have had a massive number of Port 135 attacks.
 
Originally posted by: RaySun2Be

MoFunk, the firewall should block access, unless port 135 or 4444 is open. My Linksys router was logging port 135 attacks every couple of seconds last night, from different PCs on my ISPs network.

I'm not sure a system restore will completely eradicate it. Did she do a virus scan with updated files? Check the Symantec site for complete removal instructions.
Click to expand...

The system restore did nothing. Still rebooted the machine. I am fairly sure at this point that they got this trojan through e-mail or some files their son downloaded. She has pccillin and it updates itself all the time but it evidently never detected this. Guess you cant be 100% secure 100% of the time.

 
Originally posted by: MoFunk
Originally posted by: RaySun2Be

MoFunk, the firewall should block access, unless port 135 or 4444 is open. My Linksys router was logging port 135 attacks every couple of seconds last night, from different PCs on my ISPs network.

I'm not sure a system restore will completely eradicate it. Did she do a virus scan with updated files? Check the Symantec site for complete removal instructions.
Click to expand...

The system restore did nothing. Still rebooted the machine. I am fairly sure at this point that they got this trojan through e-mail or some files their son downloaded. She has pccillin and it updates itself all the time but it evidently never detected this. Guess you cant be 100% secure 100% of the time.
Click to expand...

I doubt they got it from a file. It is a worm and comes from other infected computers. You get it simply by being on the internet with out the XP patch or a firewall. I suggest you get Zone Alarm long enough to download the patch. I was running it and at some points getting over 10 knocks on port 135 in a minuet.
 
Her version of pccillin has a build in firewall. Must have something open! I will dig into it further. On a semi related side note I was checking my pc at work and did a netstat and see a few things I am curious about. I have a few TCP protocol's listening but the local address is 0.0.0.0:135 and foreign address is 0.0.0.0:0 Is this normal?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top