Sticky Please: New Worm! (March 20 2004)

NogginBoink · Mar 20, 2004

This one is nasty. Exploits a buffer overrun in Black Ice (ironic, no? Black Ice is supposed to protect your computer!) and overwrites random sectors on your disks.

Ouch indeed.

Details here

Patch info here.

Surprisingly, this one doesn't appear to be Microsoft's fault.

(Cross posted to Operating Systems and slashdot pending moderator approval.)

TallBill · Mar 20, 2004

OMG AIEA! NO!! We're gonna die!

KingNothing · Mar 20, 2004

I'd be surprised if anyone here uses Black Ice, but thanks for the info.

DaWhim · Mar 20, 2004

my school network.....yikes! it has been down the whole frigging morning!

There appears to be a new, as yet unknown worm or bot that sends large amounts
of UDP traffic with source port 4000, apparently attempting to exploit a
recently disclosed vulnerability with RealSecure and BlackICE:

http://www.eeye.com/html/Research/Advisories/AD20040226.html

The UB network began getting hammered by this traffic at approximately
midnight. As of right now (approx 4am) we have

blocked "UDP source port 4000" traffic from leaving or entering UB.
Unfortunately, we appear to have hundreds of machines on campus
that are affected by this worm/bot, therefore there is still a
lot of congestion on our internal networks. For example, our
gigabit (1000Mbps) link leading towards Internet1 and Internet2
is currently very close to 100% utilization. We are continuing to investigate
ways that we can alleviate the stress on the UB network.

InlineFive · Mar 22, 2004

I presume this also affects computers directly connected without software firewalls?

-Por

joinT · Mar 22, 2004

Originally posted by: PorBleemo
I presume this also affects computers directly connected without software firewalls?

-Por

I don't think so. It's programmed specifically to use a vulnerability in BlackIce.

http://www.lurhq.com/witty.html

rh71 · Mar 22, 2004

It took the coders this long to get smart ? Attacking Antivirus first was the right thing to do ... why didn't they think of this until now ?

Score one for hardware firewalls.

EagleKeeper · Mar 22, 2004

Notice that it went for Black Ice and not Zone Alarm

spidey07 · Mar 22, 2004

Originally posted by: EagleKeeper
Notice that it went for Black Ice and not Zone Alarm

gee, maybe because the vulnerability was in Black Ice?

Sideswipe001 · Mar 22, 2004

Originally posted by: spidey07

Originally posted by: EagleKeeper
Notice that it went for Black Ice and not Zone Alarm

Click to expand...

gee, maybe because the vulnerability was in Black Ice?

I never thought of Black Ice as being a particularly effective firewall anyway.

azazyel · Mar 22, 2004

Does anyone know what the emails look like? I received one that said.

"If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:"

then there was a link to my inbox.

I am not going to open it I was just wondering if this was it.

Adul · Mar 22, 2004

simms · Mar 22, 2004

Originally posted by: Sideswipe001

Originally posted by: spidey07

Originally posted by: EagleKeeper
Notice that it went for Black Ice and not Zone Alarm

Click to expand...

gee, maybe because the vulnerability was in Black Ice?

Click to expand...

I never thought of Black Ice as being a particularly effective firewall anyway.

IMHO it sucks... did you read that thread on GRC.com?

Bassyhead · Mar 22, 2004

Thanks for the heads up (I dont use Black Ice anyways)

Triumph · Mar 22, 2004

Kerio has been blocking a lot of hits to mstask.exe in the last few days. Not sure if this is the same thing or not.

Ozoned · Mar 23, 2004

This sounds cool. Do I get this from microsofts

website like I did the blaster worm??

Zee · Mar 23, 2004

why would this be a sticky? who even uses blackice?

MainFramed · Mar 23, 2004

Don't use Black Ice but thanks for the info

Rogue · Mar 23, 2004

I found this yesterday and it looks very similar to this NEW worm that everyone's talking about, only these posts are dated clear back to 2002. Seems to me the problem has existed for a very, very long time and no one has done anything about it. Pretty scary really. At least Microsoft takes a few months, not years (usually

) to fix their issues.

fw3308 · Mar 23, 2004

It may not need to be stickied but it is a nasty virus. The scary thing is that is is memory resident and NAV or McAfee will not pick it up. Even worse is that it randomly re-writes 128 sectors on your hard drive. If you are hit by it there is no fix. Just reimage the machine and either update your Black Ice or get a different product.

DWW · Mar 23, 2004

Why is this even stickied? Worms happen all the time.

Besides Black Ice has always sucked. Its had proof of concept code available around for some time (couple years) for something else

Gravity · Mar 23, 2004

I got the netsky.p yesterday. That sucked. Thought I knew the sender. Oh well!

NikPreviousAcct · Mar 24, 2004

Ah... the benefits of a hardware firewall and common-sense anti-virus.

Papagayo · Mar 24, 2004

GE uses Black ICE.. Had lot of machine die because of this virus..

AIWGuru · Mar 24, 2004

who the frig cares? This shouldn't be a sticky

Sticky Please: New Worm! (March 20 2004)

Diamond Member

Lifer

Diamond Member

Lifer

Diamond Member

Lifer

No Lifer

Discussion Club Moderator<br>Elite Member

No Lifer

Golden Member

Diamond Member

Elite Member

Diamond Member

Diamond Member

Lifer

Diamond Member

Diamond Member

Diamond Member

Banned

Member

Platinum Member

Diamond Member

No Lifer

Platinum Member

Banned