Full Article - Overclockers.Com (http://www.overclockers.com/tips00445/)

From The Article "A New Nasty" - Ed Stroligo - 8/12/03
The Inquirer reports on a new virus you should take very seriously.

The reason why is that you don't have to do anything dumb to get infected, like get happy fingers when you get email attachments.

Rather, it comes looking for you.

The Inquirer article provides the necessary links to find out more about the virus and the necessary patches/files you need to prevent this from happening and fixing it if it already has.

What it doesn't mention is that a minute or two after booting into Windows, it tells you it's going to shut your machine down after sixty seconds, gives you a countdown, and procedes to do just that.

If you have just one machine handy, it leaves you with a Catch-22. You can't retrieve the necessary files fast enough before the machine shuts down, and if you go into Safe Mode, the virus isn't the problem, but then you can't access the Internet to get the fix.

How do I know this? I just had to do a house call with someone with this problem. It was simple enough for me to go home and get the necessary files, but it may not be so easy for you.

In any event, better to prevent this from happening to begin with. You can get the Microsoft patch for WindowsXP here and Windows2000 here.

If you're already infected, go here for a fix tool and further instructions.

Before fixing an XP system, you ought to turn off System Restore first. The Symantec link on how to do so doesn't work, but this one does


NOTE: This Information Is Edited :- Reading The Full Article Is Recomended

1) What is your opinion of this virus and the people who created it ?
2) Can Microsoft do more to protect its users ?

** Quick Links **
links featured through this thread and others will be presented in a list here for quick future refrence.. feel free to PM UnseenMenace with a usefull link

a) Microsoft (Information On The Blaster Worm)... http://www.microsoft.com/security/incident/blast.asp

Comments Originally Posted By Labotomy Jack - Resposted after thread editing

I'm going to have to take the non sympathetic stand point here. The flaw the worm exploits has been known for I believe a month or two now and there has been a patch available. I don't see any excuse for not patching your system, and in any event one should at least have up to date antivirus software and should be running some sort of fire wall.

The fact the viruses and worms are able to become so widespread is that so many people are lax in protecting themselves -- however by not protecting themselves they are hurting others. Granted I realize that for a large portion of computer owners they have little concept, if any, of viruses/worms/etc or what they need to do to protect themselves and others. I personally despise the idea of Automatic Updates but for many people it may be a necessary thing.

As for my specific experience with this worm I have already helped one person I work with remove it from their computer at home. It was a pretty easy process, Symantec has a removal tool on their site. You don't even need to boot into safe mode I believe. I'm also not so sure about the "devestating" part as I understand that other than propagating itself the worm doesn't really do much in the way of destruciton. Well, until someone alters it...

I think the worm is pretty interesting, it has a good entertainment value.

There isn't much more Microsoft can do for their users, its already been pretty easy to patch this thing for the last 3 weeks, the users are just dumb and lazy. If MS tried to do more, like making the updates compulsory... well all of a sudden they are big brother and everyone gets mad.

It is not so much a case of making updates compulsory - however I do feel there is a question of effective communication if the vulnerability is a serious one. MS I feel have a duty to inform all of its legitimate customers in such circumstances. The question is whether MS did do enough to forewarn its customers and judging by the infection rate I would say no - whether one thinks the users are dumb and lazy or not. As for the virus itself it is not particularly nasty in this instance and quite clearly the originators are sending a message to Mr Gates abut serious flaws in his software so maybe that is not a bad thing?

How would you suggest they inform their customers? Besides putting it all over the television news, in the newspaper, and publicizing it enough so most computer-oriented websites pick it up?

Even after all that there's people who didn't patch. Hell, even if they only informed their legitimate customers, the majority of Windows users would still be uninformed.

Putting it in the newspapers and on TV? Dont seem to remember that - then again I dont live in the US.......
Dont XP users have to provide their email address upon registration? - if so that would seem a simple method - I dont have XP so maybe they did do that!
The point I am making is it is Microsoft's responsibility to alert users and obviously they did not do that well enough - and that applies to corporate businesses as well (something you would think would be much simpler to control) - hell IBM and Motorola were affected as well!

actually the latest updates to my anti (which I'm religious about) nor the router saved me.

I was infected yesterday....15 mins later I was clean. Still the point I had to shut down all of my systems one by one to scan them urked me.........but I remain clean now.

what exactly is it that these guys are shooting for? Most famous virus or longest jail term?

I had it on two machines, my main rig I did a reinstall and then I found the removal too at symantec and cleaned the second one, I found the little crapper again this morning on my main rig so I installed the patch and removed then added zone alarm.

We got hit hard here at work. The virus came in early tuesday morning, and pretty much shut down the whole WAN because it overloaded the routers with traffic. Slowly, but surely we have been cleaning this up, but it's kind of hard to do when you have 3000+ PCs to deal with.

I seriously don't think Microsoft can do much more in this case. I got an email from them last week warning about the virus and to patch our PCs. Personally, I didn't think we'd be effected that bad since I'd hoped that the NetAdmins would have had the foresight to close the problematic ports on our firewall, but once it was inside that's when the real damage started. Since, I'm a SysAdmin that's not my realm, but I could have helped the problem if I'd have patched our boxes to begin with. So, in our case, I'd have to say the fault is with us.

Like XWRed1 said, what else can they do? I got an email from them and it went straight into the trash can. I heard about it on various computer-oriented websites and chose to do nothing. Yet, by some peoples' logic Microsoft is still to blame because they should have been calling eveyone in the phone book, sending out junk snail mail, and spammning every possible combination of email addresses till they blanketed the world with warnings.

I am no fan of Microsoft, and only use their products because I'm forced to at work, and still feel they were stupid to have those vunerabilities in the first place, but I didn't do my part to patch our systems when I knew about the problem. I learned a big lesson with this virus and won't be letting this happen a second time.

As far as the virus and the people who created it. The virus itself is pretty cool, I love how it uses tftp to download copies of itself. As far as the people who created it, I say since they gave us a virus we sould give them a virus, something like ebola or AIDS should do fine.

Just double checking... none of my systems have shutdown or have been doing any weird stuff so I'm assuming I didn't get it (yet)? I'm pretty sure I ran Windows Update a few weeks ago and also I'm going through my Linksys router.

Actually I'll just do a Norton scan...

at work there completely fliping out about it

like every 10 min the head desktop guy would come threw telling us all to log of and log back on so the new update scripts would take hold

but concidering a) alot of people just lock there computer when they leave and b) of the desktop side alot of users are there at allllll hours of the day i wonder if they will all get the message


if you dont see a usatoday out then youll know what happned

Hmm...You know what...I've been hearing about this thing all week and I've yet to get infected. Then again, I'm running behind a linksys router with NAT and Sygate software firewall. Also, the only thing I've really been doing in terms of network are web surfing and AIM chatting so those are the only programs that I have allowed on my software firewall (in addition to the network services that are necessary of course). Plus I have no AV software. :D

I haven't got infected yet, but maybe it's my dialsuck connection... I'm running Trend PCCillin (Not the best, but free) but not actually scanning for anything. I also have no firewall... :D

I think Dave Barry summed it up well in his blog (http://davebarry.blogspot.com/2003_08_01_davebarry_archive.html#1060789706449629 68):
IS IT JUST THIS BLOG, OR...
...does "The Blaster Worm" sound to you like an affectionate nickname a guy might give to his male unit?


If nothing else, this episode underscores the importance of updating windows frequently. Not that we Linux users don't need to update too. :D

Had to remove it from two boxes today, I just hope that it doesn't hit any of the computer's at my parent's work so I'm going to add the patches (becuase everyone there is computer ILitterate and expect someone else to update the stuff) coz I don't want them to lose a couple hours of work (real estate place) time, they can get a lot done in that....heh I'm not even a worker there :rolleyes: I guess I could say I would have racked up my good deeds for a couple weeks :o

Fold and Frag on
Brian

Odd, everyone's saying that Microsoft doesn't inform their customers, but I recieved this email:


Date: 8/16/2003 09:43:36 -0700
From: "Microsoft" <0_51187_D9157AA8-8146-4620-AFC3-18C8B220AA38_US@Newsletters.Microsoft.com>
Reply-to: <3_51187_D9157AA8-8146-4620-AFC3-18C8B220AA38_US@Newsletters.Microsoft.com>
To: <jot@zeronsystems.com>
Subject: IMPORTANT SECURITY ANNOUNCEMENT - for Windows Users re: Blaster Worm All headers
This e-mail message is being sent to you by Microsoft Corporation. To verify the authenticity of this e-mail message, please visit: http://go.microsoft.com/?linkid=222103


Dear Microsoft Customer,

On August 11, 2003, Microsoft began investigating a report of a worm, known as W32.Blaster.Worm, that exploits the vulnerability addressed by Microsoft Security Bulletin MS03-026. Microsoft released this critical security bulletin and corresponding patch for Windows operating systems on July 16, 2003. While some customers may not notice the presence of the worm infection at all on their computer systems, typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input or Windows NT4 and Windows 2000 systems becoming unresponsive.

If you applied security patch MS03-026 prior to the discovery of the Blaster worm, your system is secure from the vulnerability that W32.Blaster is using. For the most current information on determining if your systems are infected and how to recover from the infection, please go to the following Web site and perform the prescribed steps: http://go.microsoft.com/?linkid=222104. This site will be updated as more information regarding the W32.blaster worm becomes available.

Our goal is to provide you with the information and tools you need to help run your company safely and reliably. When we become aware of these types of vulnerabilities, it is our goal to share protection and remediation information with you as quickly as is possible. In order to help protect your computing environment from security vulnerabilities, we encourage you to use the Windows Update service by going to http://go.microsoft.com/?linkid=222105 and also subscribe to Microsoft's security notification service at http://go.microsoft.com/?linkid=222106. By using these two services you will automatically receive information on the latest software updates and the latest security notifications, thereby improving the likelihood that your computing environment will be safe from the worms and viruses that occur.

Thank you,

Microsoft Corporation

For information about Microsoft's privacy policies, please go to http://go.microsoft.com/?linkid=222102


I'm not exactly sure if this is 100% legit, as I haven't opened any of the links, mainly because I don't need to patch (what's that, a responsible windows user? :eek:; I patched weeks ago).

I do not run XP, and the times that I have, I did not register it. Their are only two times I have given MS my email, one was when I registered to recieve a demo of their 2003 Server, and I THINK once when I was surveyed on the site.

Originally posted by Shadow ÒÓ
actually the latest updates to my anti (which I'm religious about) nor the router saved me.

I was infected yesterday....15 mins later I was clean. Still the point I had to shut down all of my systems one by one to scan them urked me.........but I remain clean now.

what exactly is it that these guys are shooting for? Most famous virus or longest jail term?

How in the heck does it get past a NAT router firewall?

Originally posted by Audioaficionado


How in the heck does it get past a NAT router firewall?

NAT wouldn't help if you had a vulnerable box in the dmz, or were some reason forwarding port 135 to it, or someone put an infected computer on your lan.

I'm not sure how the patch works, but all someone would have to do is redirect the worm to another port/ports to nullify the patch?

I'm not going to patch. I say "don't fix what aint broken". Anyway, I have a NAT firewall and blocked the ports the worm uses. I might update my Dad's system since he NEEDS it for work.

BTW, I have not installed a single patch on mt laptop since I got it and it is still working fine. I stopped patching when a patch screwed my Dad's box up. (that was before I got the laptop). At least I have an excuse for not patching. And I did block the ports the worm uses. I figured that's enough.

Originally posted by Cyrix_2k
I'm not going to patch. I say "don't fix what aint broken". Anyway, I have a NAT firewall and blocked the ports the worm uses. I might update my Dad's system since he NEEDS it for work.

BTW, I have not installed a single patch on mt laptop since I got it and it is still working fine. I stopped patching when a patch screwed my Dad's box up. (that was before I got the laptop). At least I have an excuse for not patching. And I did block the ports the worm uses. I figured that's enough.

You're a prime example of a typical lazy net admin. This is why worms like this spread over the internet and networks like crazy.

Shouldn't the firewall protect me? I really don't want to patch. It has screwed up my comp before. If there is need to patch I will. It doesn't take me long as I do have a broadband connection (cable). And I run Norton on almost most every box I have. I don't run it on my laptop 'cause it slows it down soooo much.

And I'm not too lazy. I patch everything else and back-up alot. I just don't want to patch windows 'cause it screwed up my comp. And no SP1 wasn't what did it. I did install SP1.

And just so people don't forget my question, isn't a firewall with the proper ports blocked enough protection? I blocked the ports norton told me the virus uses. There were 3 ports and one of them was 135.

Yes, a firewall could stop you from getting it through the firewalled interface.

Still, using a firewall is like putting a band-aid on a broken leg. I can understand being burnt by patches... apparently lots of people get burnt by Microsoft's patches.

Thanx, so a firewall is all I really need for this worm. I'm going to patch my dads PC after he backs up and see what happens.

I just want to make sure of this ,if you patched with the patch from MS that came out in July then you could not get infected with this, right ?

Originally posted by Cyrix_2k
Shouldn't the firewall protect me? I really don't want to patch. It has screwed up my comp before. If there is need to patch I will. It doesn't take me long as I do have a broadband connection (cable). And I run Norton on almost most every box I have. I don't run it on my laptop 'cause it slows it down soooo much.

And I'm not too lazy. I patch everything else and back-up alot. I just don't want to patch windows 'cause it screwed up my comp. And no SP1 wasn't what did it. I did install SP1.

And just so people don't forget my question, isn't a firewall with the proper ports blocked enough protection? I blocked the ports norton told me the virus uses. There were 3 ports and one of them was 135.
why dont you want to patch this?it took me 12sec max. i even think it fits on a floopy, if you dads machine has been patched, just move the patch onto your machine and run it. nothing could be more simple. this patch couldnt screw anything up, all its doing is fixing a range check error

So this patch can't screw anything up? :) Ok I'll patch. Just don't want to screw my system up. That's all.

from what i understand it only patches one file, that has a bound checking that doesnt work,or no bound check at all

K, that doesn't sound too bad. Anyway, could I just turn the RPC service off using the services.msc?

word on the street is there is a worm out there now that is combating the msblaster worm by downloading the patch and restarting your machine


http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html

if thats real im all for it really. it only malicous in that it restarts your comp. if you can be hurt by restarting(ie buisness) youll already be patched, if not then you are now safe. it even deletes itself. how kind

Originally posted by Cyrix_2k
K, that doesn't sound too bad. Anyway, could I just turn the RPC service off using the services.msc?

No. Windows won't work without RPC.

Originally posted by JoT


You're a prime example of a typical lazy net admin. This is why worms like this spread over the internet and networks like crazy.

Im sorry but I have to agree with JoT. I am annoyed @ all the ppl that dont patch their systems, expecially the ones with broadband. You got NO EXCUSE. :mad: It only takes a bit. I keep all 10 systems here @ my house fine and updated, its no big deal. If ppl would not be lazy and get the patches all would be good.

I am also really ticked off because I got Adelphia Cable which is going close to the speed of dial suck. This ticks me off since the problem has to do with all their switchs and hubs being bogged down by all the blaster infected systems on it. My speed has dropped from 3.5MB down to 1MB down with tons of packet loss and timing out from websites. A few of me and my friends called to complain and were all told by some of the higher up ppl, not just the tech support ppl that it was due to blaster.

If ppl would stop being lazy. Its not like getting updates are very hard or take time, sheesh!

:mad: :mad: :mad: :mad: :mad:

Originally posted by SniperXX
Im sorry but I have to agree with JoT. I am annoyed @ all the ppl that dont patch their systems, expecially the ones with broadband. You got NO EXCUSE. :mad: It only takes a bit. I keep all 10 systems here @ my house fine and updated, its no big deal. If ppl would not be lazy and get the patches all would be good.

Yeah it was no big deal to actually DL and install this patch.

OTOH always read the KB articles on all and any patches offered by M$ to see if it really applies to you and if they have your best interests at heart or just something that is meant to break competitor's apps. Anything that says you can't uninstall it should also raise a red flag and be researched before applying it. DX9 beta is a prime example of something you wouldn't have wanted installed unless you reinstall your OS frequently for a hobby.

Hey it ain't that hard once you've done it several times :p

What should you do when threatened by the blaster worm?

Do what M$ does: Use Linux! (http://story.news.yahoo.com/news?tmpl=story&cid=74&ncid=738&e=9&u=/cmp/20030821/tc_cmp/13100775)

Originally posted by XWRed1


No. Windows won't work without RPC.

Mine does :p - no virus as of yet, but I have a NAT router and Zonealarm firewall :-/

Originally posted by L337 M33P
Mine does :p - no virus as of yet, but I have a NAT router and Zonealarm firewall :-/

Without RPC windows will shut down. That's why the worm shuts down the computers is becasue it shuts off RPC and the OS is rebooting to restart it.

Originally posted by L337 M33P
Mine does :p

Then you haven't turned off rpc.

Woops I agree - I looked at all the services that depend on it lol - pretty much all of windows. I really should stop talking out of my behind.

Originally posted by XWRed1
How would you suggest they inform their customers? Besides putting it all over the television news, in the newspaper, and publicizing it enough so most computer-oriented websites pick it up?

Even after all that there's people who didn't patch. Hell, even if they only informed their legitimate customers, the majority of Windows users would still be uninformed.

speaking of not patching, i havent

As more and more typically ignorant windows users get these worms/vuruses and my email addy gets harvested, I get weekly increases of spam for special creams and pills to make me more like a horse in certain ways in just days. There's lots of other crap spam but these are the most annoying. I never download them but delete them off the mail server but it all adds up to wasted bandwidth for the net as a whole.

I hate so see the internet get shackled like Ed said, but if this keeps getting worse, its gonna happen and force us all to adopt the dreaded Palladium Technology and the few OSes/software/hardware that will support it.

Ok, by the time of my last post, I patched all of our XP machines expcept my laptop and my dad's backup machine.My laptop is hardly ever on the net so I don't run anti-virus software, firewalls, or anything else pertaining to the net besides explorer.
The back-up machine gets turned on about once a month so I can update my dads software. It really just sits there. About a week ago, I did patch that machine to.

BTW, I also have adelphia. I hate those people, the speed is horrible no matter what. I got 3 months free because I complained to them so much though :D